×

How Scammers Use QR Codes to Steal—and How You Can Protect Yourself

QR Code scams are rising, and scammers are becoming more sophisticated. Discover how these fraudsters use QR codes to steal your information and learn practical tips to protect yourself from falling victim. Stay informed and safeguard your data.

Dom DiFurio

Last Updated:  September 12, 2024

With great convenience comes great responsibility. QR codes have opened up a whole new world of ease for consumers and businesses. But as with any new tech, scammers are exploiting the growing market to take advantage of consumers.

Uniqode analyzed resources from the FBI and the Federal Trade Commission to compile a list of tips on staying safe when using QR codes in public.

QR codes are the now-ubiquitous, black-and-white-patterned squares that can be scanned to access a hyperlink on your phone’s web browser. Now, almost annually, the FBI has issued consumer warnings that criminals are leveraging QR codes to steal sensitive information.

The rise of QR codes for contactless exchanges during the COVID-19 pandemic made the technology all the more appealing for criminals, according to cybersecurity firm Trellix

More than a third of smartphone users scanned a QR code in 2022, a share expected to rise to 42.6% by 2025, according to data forecaster eMarketer. 

The public adoption of QR codes and their cost-saving potential for businesses has helped keep them around long after pandemic safety measures faded away.

But a little vigilance can go a long way for consumers using these web portals. One QR code scheme commonly reported is a version of package delivery scams often sent via text message. 

In this case, a potential victim receives a message that appears to come from FedEx or another reputable company directing them to scan a QR code to check on the status of their package delivery. 

Instead of taking the user to an authentic company website, they’ll get a fake one that looks legitimate. Any username and password info submitted to the fake page goes straight to the bad actors, who can use it to access sensitive information.

You may also like: Charge card vs. credit card: What’s the difference?

Closeup of smartphone making mobile payment via QR code.
Closeup of smartphone making mobile payment via QR code. Image by Phoderstock via Shutterstock

What is quishing?

QR codes are also easy and cheap to generate with a phone or computer. The FBI reported about $150 million in losses attributable to QR code scams in the last year, sometimes referred to as “quishing.”

The practice, in spirit, is the same as “phishing,” where a criminal attempts to dupe their victim into revealing personal information that can be used to illicitly access sensitive platforms like banking and email accounts. 

In a quishing scheme, the criminal intercepts your device not with a shady email or text message but with a hyperlink to a website on your phone populated by the QR code when you scan it.

Hand holding phone scanning QR code with blurred parking lot as background.
Hand holding phone scanning QR code with blurred parking lot as background. Image by Panuwat phimpha via Shutterstock

Retail payment dupes

Numerous scams have been reported in which hackers place fake, malicious QR codes on parking meters, restaurant menus, advertisements, and other common locations for digital payments. Sometimes, these methods can also steal credit card information stored on the phone used to scan the code.

Whenever you scan a QR code with your phone camera, a preview of the link will usually show up on your screen. Ensure the link looks like an official, secure website a legitimate business would host. 

For example, the standard protocol for secure websites requires that they begin with the string “https://” with the “s” standing for “secure.”

Hand holding black phone with QR code on the screen.
Hand holding black phone with QR code on the screen. Image by E.Va via Shutterstock

“QRLJacking”

Another form of attack commonly seen by cybersecurity firms has been dubbed QRLJacking. In this scheme, the victim receives a message containing a QR code urging them to log in to a platform the victim already uses. When the victim logs in, they enter their credentials into a fake version of a seemingly legitimate site, giving the attacker access to their actual account.

As a technology, QR codes allow users to move very quickly to the point of purchase. Remember to slow down and assess the situation.

If you receive an unexpected notification with an accompanying QR code via text message or email, be wary of any instructions urging you to act quickly. Cybercriminals commonly employ urgency tactics because they encourage uncertainty and rushed decisions—the psychological conditions to make it easier for the victim to make a mistake such as entering personal information into a webpage without thinking twice.

Customer using phone for payment.
Customer using phone for payment. Image by Nattakorn_Maneerat via Shutterstock

Secondhand transactions

While QR codes are convenient for businesses to use for mass transactions, the benefits don’t outweigh the risks when buying things secondhand, for example, in a direct payment situation.

Cybersecurity firm KeepNet reported a scam in which the victim was sent a malicious QR code during a Facebook Marketplace transaction. 

Be wary of these, as navigating directly to a trusted payment platform like Zelle or PayPal may make the most sense. If you’re working in an industry particularly vulnerable to these scams, like finance or the energy sector, extra caution may be necessary.

The FBI recommends against downloading applications or making payments directly on sites linked to QR codes since they could potentially be malicious. Instead, navigate to the URL manually so that a payment can be made confidently on a trusted, known website, the agency recommends.

A woman enters a one-time password on a two-step authentication webpage.
A woman enters a one-time password on a two-step authentication webpage. Image by mgequivalents via Shutterstock

Fake scanning apps

Other scams include phony QR code scanning applications that are actually malicious software, which can allow malware to be downloaded on your phone. 

Note that the camera app on most leading smartphones has a QR code scanning capability built in, so there’s generally no need to download an additional app.

Smartphones may be even more vulnerable to malicious phishing attempts because of the sheer amount of personal information stored on them. 

Hackers are constantly seeking out vulnerabilities in software to exploit and steal personal information. By keeping your software up to date, you’ll ensure you have the latest version of your phone’s operating system, which is the least vulnerable to scams.

Another safeguard is multifactor authentication, which provides an additional layer of security that can thwart all types of unauthorized users, including QR scammers. This feature is available for all leading email platforms, social networks, and reputable banks. After entering the password, the user must confirm their identity by logging in with a code or prompt on a separate device.

A criminal trying to steal personal information through a QR code may get login information, but they won’t be able to get past the multifactor authentication unless they also have access to the authenticating device.

Story editing by Alizah Salario. Additional editing by Elisa Huang. Copy editing by Tim Bruns. Photo selection by Clarese Moller.

Author Details
Dom DiFurio
Enthusiastic about marketing and improving the ROI of businesses.
https://stacker.com/blog/Dom-DiFurio
Dom@gmail.com

Related Posts

575 5th Avenue, New York

NY 10017, USA

Products

Use Cases

Learn

Compare

Company

Contact Us

gdpr compliant soc3 compliant hipaa compliant

Company

Contact Us

gdpr compliant soc3 compliant hipaa compliant
© 2024 Uniqode Phygital, Inc. All rights reserved.
© QR Code is a registered trademark of Denso Wave Incorporated.
Privacy Terms of service Cookie policy Third-party list GDPR Compliance