Avoid QR Code Scams

While Quick Response (QR) codes have been around for over 25 years, their use in everyday life has become much more popular since the start of the pandemic. But are they always safe to scan?

Few people give a second thought when scanning a QR code at a restaurant to view a menu or enter credit card information to pay for their meal. Unfortunately, scammers recognize this opportunity and have started to take advantage of our trust in QR codes.

How do QR scams work?

Anyone can create a QR code by using free online tools. This makes QR codes easy for businesses to use — but it’s also easy for scammers to take advantage of them.

To create a QR code, businesses go to an online QR code generator and input the URL to which they want to send customers — a menu, login page, survey, or payment processor. QR code scams take advantage of the fact that the human eye can’t “read” a QR code — so we need to trust that the code is taking us to the right URL or doing what it’s supposed to do.

But because QR codes are so easy to create, scammers can replace legitimate ones with their own fraudulent codes. These "fake" QR codes redirect you to malicious websites designed to steal your sensitive information. Unbeknownst to you, you could be offering your information to a fake payment terminal or a convincing look-alike login screen.

How to help protect yourself from QR code fraud

• Once you scan a QR code, check the URL to make sure it is correct. A malicious URL may look very similar to the intended, legitimate one but with typos or misplaced letters.
• Do not assume that a site labeled as secure—indicated by a padlock icon shown to the left of a URL beginning with “https://”—is actually a legitimate site. An analysis conducted in 2018 found that almost 50% of phishing websites were using “secure” websites. That number is likely even higher now!
• Examine the website itself. Look for things like altered fonts, misaligned graphics, and overall poor quality.
• Avoid making payments or entering personal or financial information on a website navigated to through a scanned QR code. Instead, manually type a known and trusted URL.
• When scanning a physical QR code, make sure that it hasn’t been tampered with. For example, is the QR code printed on a sticker that has been placed over the original QR code?
• Do not download apps from a QR code.
• Do not download a QR code scanner app; it may increase your risk of downloading malware. (Most smartphones have a built-in scanner in their camera app.)

QR codes can be incredibly useful. But scammers are constantly looking for vulnerabilities in new technologies to steal your identity and commit fraud. Stay safe while scanning QR codes by following these recommendations and knowing the common QR code scams.