The popularity of QR code scams continues to rise, with a 587% increase reported in 2023, according to Keepnet. These scams work because QR codes contain links that can lead to fake websites or trigger the download of malware, spyware, or even phishing attacks.
Through a series of phishing and hacking attacks, scammers gain financial information and access to victims’ devices through fake QR codes. In this post, we’ll explain the most common QR code scams and how to protect yourself from each one.
Need support after a scam? Join our community today.
What is a QR Code Scam?
A QR code scam is when a scammer replaces or creates a malicious QR code. Once scanned, the QR code directs the victim to a fake website, installs malware on their phone, or obtains unauthorized access to their financial or personal information such as bank passwords, security pins for crypto wallets or credit card number.
Scammers use QR codes in different ways to access your personal information and commit fraud:
- Leading you to phishing websites: Scammers can create fake websites that look similar to legitimate ones to trick you into sharing sensitive details like your name, payment information, or login credentials. Once submitted, this data is stolen and can be used for identity theft.
- Installing malware on your device: When scanning a malicious QR code, harmful software such as malware, ransomware, or spyware can be installed on your device. This can allow scammers to monitor your activities, steal personal files, or lock your device until you pay to get back access.
- Triggering unauthorized actions on your device: QR codes can do more than direct you to fake websites. Scammers can program them to initiate actions like sending emails from your account or sending payments, leading to potential financial loss or damage to your reputation.
- Targeting Social Media Platforms: QR code hackers use fake QR codes to gain access to a user’s social media and monitor messages and posts. This gives them insights into your connections, allowing them to hack other profiles.
- Blocking Essential Apps: Hackers can disable apps and system updates, preventing you from downloading necessary patches to protect your device.
Considering that 84% of mobile users have scanned a QR code at least once due to its ease and quick access to files or media, according to Persuasion Nation, hackers continue to make use of QR codes to scam people. But first, it’s important to know where these illegal QR codes can be found.
The 7 Most Common QR Code Scams
Even a legitimate-looking QR code could be dangerous if modified. The key here is to ensure the authenticity of the QR code by verifying its source before scanning. Here are some scenarios that scammers might use to convince you to scan a QR code with your phone:
1. Phishing Emails with Fake QR Codes
Scammers often send emails containing QR codes that supposedly provide access to documents, invoices, or photos. These codes typically lead to fraudulent websites designed to steal sensitive data.
- Example: You might receive an email that appears to be from a trusted retailer like Amazon or Walmart, claiming a payment didn’t go through. The email instructs you to scan a QR code to complete the transaction, but any information you provide, such as credit card details, ends up in the hands of the scammer.
2. Fraudulent QR Codes in Physical Mail
Scammers sometimes include QR codes in junk mail, tempting you with offers of prizes, giveaways, or discounts. Scanning these codes typically directs you to malicious sites intended to collect your personal information.
- Example: A piece of junk mail might offer great discounts on high-end products or promise a “guaranteed loan” with a limited-time offer. Scanning the QR code leads you to a fake website designed to steal your financial information.
3. QR Code Scams on Public Payment Stations
Scammers can replace legitimate QR codes in public spaces, such as on parking meters or payment stations. These fake codes lead victims to bogus payment pages, where their financial details are stolen.
- Example: A fake QR code on a parking meter might redirect you to a fraudulent payment site. When you enter your payment details, they are sent to the scammers, who then use the information for unauthorized transactions.
4. Altered QR Codes at Restaurants
Many restaurants use QR codes for digital menus or contactless payments, which makes them a common target for scammers. Fraudsters can replace or tamper with these codes, redirecting you to phishing sites designed to steal your personal data.
- Example: A fake QR code on a restaurant table may take you to a site that looks legitimate but is designed to capture your credit card information. If a QR code seems suspicious, it’s always best to check with the restaurant staff before proceeding.
5. Social Media Scams Involving QR Codes
Hackers often send QR codes through compromised social media accounts. Since these codes appear to come from a trusted friend, victims are more likely to scan them, potentially leading to phishing websites or other scams.
- Example: A hacked social media account might send you a message like, “I found this photo of you!” with a QR code attached. Scanning it leads to a site designed to steal your personal information.
6. Fake QR Code Scanner Apps
Some scammers create fake QR code scanner apps that secretly install malware on your device. Once downloaded, these apps can give scammers access to your personal information, including banking log-in details.
- Example: After installing a fake QR code scanner app, you might receive a prompt to update it. This update installs malware, such as a banking Trojan, which can steal your login information and access your financial accounts.
7. Cryptocurrency QR Code Scams
Scammers often use QR codes to trick people into fraudulent cryptocurrency schemes. These codes direct victims to fake payment platforms or investment opportunities, leading to financial losses.
- Example: Scammers on social media or dating apps may promote a cryptocurrency investment that seems legitimate. The QR code they share links to a fake payment site, and once you transfer your money, the scammers go away or ask for additional payments.
Have questions about dealing with scams? Contact us for support.
QR Code Scams 2023 to 2024: Recent Cases
QR codes are integrated into our daily lives, making it easy to access menus, download coupons, or take advantage of discounts. However, they’ve also become attractive opportunities for cybercriminals. Here are some notable QR code scams in 2023 to 2024 found in various industries:
1. Fraudulent Emails in the Energy Industry
In 2023, fraudulent emails targeted an energy company, according to Phishme Cofense. These emails contained a malicious QR code that directed users to a phishing site. This attack was designed to trick employees into revealing login credentials for secure systems, leading to compromised access to essential services.
2. Parking Lot Scam
In September 2024, a Florida resident fell victim to a parking lot scam after scanning a QR code meant for PayByPhone, according to USA Today. They paid $1.25, but shortly after, their bank alerted them to fraudulent activity on their account. Scammers had placed a fake QR code, redirecting payments to their own accounts instead of the legitimate parking service.
3. Phishing at the University of Washington
The University of Washington was the target of a phishing scam, according to an official notification. Students received fake emails claiming they needed to log in via QR codes to access important university resources. The fraudulent website collected their login details and used them for further attacks.
4. Singapore Government Phishing Incident
In Singapore, Municipal Services reported a large-scale QR code phishing attack, according to The Straits Times. Cybercriminals placed fake QR codes into official-looking documents, leading users to malicious sites where they were asked to input sensitive personal information.
How to Protect Yourself from QR Code Scams: 8 Useful Tips
To avoid falling victim to QR scams, it’s essential to follow preventive measures to avoid scanning QR codes. Here are some key tips to protect yourself:
1. Verify the Authenticity of the QR Code
Before scanning a QR code, always make sure it comes from a trustworthy source. Scammers often place malicious QR codes in public spaces like restaurants, cafés, or even on posters and flyers. If you are uncertain about the legitimacy of a QR code, it’s safer to avoid scanning it. If possible, ask a staff member or verify the source before proceeding.
- Additional Tip: Be particularly cautious with codes found in unexpected or unusual places. For example, a QR code placed on a napkin holder or attached as a sticker to a public sign might be suspicious.
2. Visually Check the Code for Signs of Tampering
Always inspect the QR code before scanning to check for signs of tampering. Scammers typically place fake QR codes over legitimate ones, sometimes using stickers to replace or cover the original. If the code looks altered or poorly placed, it could be a scam.
- Additional Tip: Look out for signs that the QR code has been swapped out. If the code appears to be on top of another or there’s residue from an old sticker, it’s best not to scan it.
3. Avoid Sharing Personal Information After Scanning
Be cautious if a QR code directs you to a website that asks for sensitive information like login credentials, payment details, or personal data. Verify that the website is legitimate by checking the URL for HTTPS and the presence of a security symbol. If in doubt, avoid sharing any personal information.
- Additional Tip: If the website seems unprofessional, contains grammatical errors, or looks suspicious in any way, it’s likely a phishing attempt. Always double-check for these warning signs before filling out any information.
4. Preview the URL Before Following the QR Code
Before fully accessing the link from the QR code, take a moment to preview the URL. Most devices will show the destination URL before you open it. Double-check that it looks legitimate and secure. If the URL is shortened or seems suspicious, it’s best to avoid it.
- Additional Tip: In public settings, like a restaurant, you can ask a staff member to verify the legitimacy of the website the QR code directs you to, especially if the URL seems off.
5. Check the Destination Site for Phishing Signs
Once you scan a QR code, and it takes you to a website, inspect the page carefully. Phishing sites often have poor design, low-resolution images, and misspelled words. Also, make sure the URL begins with HTTPS and shows a padlock symbol indicating that it is secure.
- Additional Tip: Be careful if the website asks for excessive information, such as your full address, credit card details, or phone number just to access basic services. Legitimate websites typically don’t require this level of personal information.
6. Be Cautious with QR Codes in Public Spaces or Mail
QR codes found in public areas or unsolicited mail can be tampered with by scammers, making them risky to scan. As a precaution, avoid scanning QR codes from unfamiliar or unexpected sources, especially if they offer deals or discounts that seem too good to be true.
- Additional Tip: If the mail or message seems urgent or uses threatening language, such as “Act now or lose this offer”, it’s likely a scam. Take your time to verify the legitimacy of the offer by visiting the company’s official website.
7. Never Download Third-Party QR Code Scanning Apps
Your phone’s built-in camera is fully capable of scanning QR codes, so there is no need to download additional scanning apps. These third-party apps can often be malicious and may install malware on your device.
- Additional Tip: Stick to apps from official sources, such as the Apple App Store or Google Play, and avoid downloading QR-related apps from unknown developers, as they can compromise your device.
8. Keep Your Device Updated with the Latest Security Patches
Regularly updating your phone ensures that it has the latest security features, protecting you from vulnerabilities that hackers may exploit. These updates regularly include important patches that fix security loopholes, making your device less susceptible to attacks.
- Additional Tip: Many malware and scams target outdated software with known vulnerabilities. By keeping your device updated, you reduce the risk of falling victim to such scams.
What Should You Do When a QR Code Hacked Your Device?
If you suspect a QR code has compromised your device, it’s crucial to act quickly to protect your data and identity. Here are some immediate steps you should take:
- Change Passwords: Immediately change all passwords for accounts that might be affected.
- Contact Financial Institutions: Alert your bank or credit card provider about the possibility of fraudulent activity, especially if you’ve noticed any signs of credit card fraud related to the scam.
- Notify Authorities: Report the fraud to relevant cybersecurity organizations or local authorities.
- Activate Identity Protection Services: Consider signing up for identity theft protection services to monitor any unauthorized use of your personal information.
Report Your Experience with QR Code Scams to CDN
According to Business Today, over 20,000 QR code scam cases were registered in India between 2017 and May 2023, accounting for 41% of fraud cases related to malicious links and card fraud. Additionally, a global study found that in October 2023, 22% of phishing attacks involved QR codes.
QR code scams are a serious threat, as they can redirect users to malicious sites or steal sensitive information. Always inspect QR codes before scanning, and use secure apps to detect suspicious links. Keep your devices updated to prevent attacks. If you’re a victim, report it to the authorities and share your experience with the Cryptoscam Defense Network to help others stay informed.
Photo via Unsplash and AI-generated with Fliki.
We Want to Hear From You!
Fraud recovery is hard, but you don’t have to do it alone. Our community is here to help you share, learn, and protect yourself from future frauds.
Why Join Us?
- Community support: Share your experiences with people who understand.
- Useful resources: Learn from our tools and guides to prevent fraud.
- Safe space: A welcoming place to share your story and receive support.
Find the help you need. Join our Facebook group or contact us directly.
Be a part of the change. Your story matters.