QR code scams: How they work and how to safeguard against them

QR codes are increasingly being used by cybercriminals in QR code scams and attacks. “Invented in the 1990s, QR codes surged during the pandemic. They offered a way for people to access information and conduct activities in a touchless way. Insider Intelligence reports US smartphone users scanning a QR code will increase from 83.4 million in 2022 to 99.5 million in 2025” (Info Security Magazine, 2023).

With QR code use on the rise, scams using QR codes by cyber thieves are also rising significantly. So, with QR codes all the rage, how can you spot nefarious ones, and what can you do to safeguard yourself against them?  In this blog, we’ll explain how QR code scams work, review five common examples, and provide guidelines on how to minimize your risk.

How QR code scams work

QR code scams typically hijack legitimate QR codes and send the unsuspecting scanner to a phishing website that can steal sensitive personal information or install malware on the device. QR codes are successful because it is impossible to tell if the scannable image will take you to the correct website.

Android and Apple phones will alert the user as to which external link they are about to access, but crafty cybercriminals can use typo-squatting and other techniques to masquerade as a legitimate domain. Because most QR codes do not tell you what domain to expect to be taken to, it can be hard to know if you are going to the right place.

The FBI has issued warnings about tampered QR codes. Victims can be directed to a website disguised as legitimate, but that gathers identity information and inserts digital infections. In business use, employees should be trained about the dangers of QR codes, as infections on their devices, especially in the age of BYOD, could impact business operations.

Many restaurants, public noticeboards, physical letters, and other services offer QR codes instead of traditional physical objects. Restaurants, for example, can see cybercriminals recreate menu sheets with new malicious QR codes, these can be reintroduced into circulation without the business’s knowledge. Public flyers and spam mail may also contain malicious QR codes.

Recent QR code scam examples

  1. Parking meter payment: Fraudulent QR codes have often been placed on the back of parking meters, leading victims to assume they can pay for parking through the QR code. After paying through the QR code, some victims return to find their vehicle has been towed or has received a parking ticket. Plus, their payment information is typically harvested for later use.
  2. Bank phishing scams: Bank branches often have a sign on their entry doors or an easel placard with special promotions encouraging the use of additional services or new account signups. A cyber-criminal can easily overlay the QR code with one that redirects to their malicious site.
  3. Cryptocurrency wallets: The rise of cryptocurrencies has lured many to transactions that are ripe for scammers. The trading of cryptocurrencies such as Bitcoin is conducted online, and the easiest way for both legitimate and fraudulent traders to direct investors to their digital wallets is through a QR code.
  4. Romance scams: Some cyber-criminals spend months building an online romantic relationship with their victim, ultimately offering financial advice, or asking for financial assistance through a cryptocurrency exchange. The victim follows the provided QR code and transfers the requested money to the scammer’s digital wallet.
  5. Utility and government impostors: Cyber-criminals often disguise themselves as representatives from a utility company, the Social Security Administration, or the Inland Revenue Service (IRS) regarding an outstanding debt. The scammer claims that failure to pay will result in arrest, additional fines, or shutting off access to electricity, gas, or water. The cyber-criminal may tell the consumer that the payment portal for these services is currently offline, but they can submit payment through another portal they can access by following a link or scanning a QR code.

Mitigation – What you can do:

The National Cybersecurity Center (NCC) advocates good cyber-hygiene so that if a malicious QR code is scanned, there is at least a reduced chance of it creating harm.

Relevant preventive practices include:

  1. Once you scan a QR code, check the web address to ensure it is the intended site and looks authentic. Look for typos or even a single misplaced letter.
  2. Be cautious about entering login, personal, or financial information from a site navigated to from a QR code.
  3. If scanning a physical QR code on a sign, window, or placard, ensure it has not been overlaid.
  4. Do not download an app from a QR code. Use your phone’s app store for a safer download.
  5. If you receive a notice to complete a payment through a QR code, call or access the company’s website to verify.
  6. Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner in the camera.
  7. If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.

QR code scam prevention for businesses 

If you are a business leader, be sure to remind staff of the dangers as the key to any attack is by using a weakness in anyone’s account. Be aware that even personal accounts are used to harvest details that can be used in an attack. Scammers and thieves do not respect your situation. Be cautious. with what is shared online, create business processes where wire transfers or bank changes require confirmation from and to known phone numbers.

The protection needed by small and medium-sized businesses is no different than those used by large businesses. Plus, with the right support team, everyone can be safe.  Lead IT Consulting is focused on companies with less than 50 employees and cyber security is one of our core services. So if you have any Cyber Security concerns about your business or your staff, just reach out

Scroll to Top