Skip to content

Fake QR code scams explained

  • by
  • 7 min read

In the post-pandemic world, most restaurants require scanning a black-and-white square to access the menu and payment options for a contactless experience. This black-and-white square is called a QR (Quick Response) code and is a type of barcode that can be read by a visual scanning technology present in most smartphone cameras today.

Due to their convenience and quick access, QR codes are a common instrument for contactless payments, accessing coupons, websites and tickets and sharing WIFI. Scammers leverage the accessibility and novelty of QR codes to trick people in multiple ways. Here are common fake QR code scams explained.

Also read: What to do if you click on a phishing link?


What is a QR code scam?

It is fairly easy to create a QR code online for free. Additionally, humans cannot read the contents of a QR code before scanning it, which means scammers can create fake QR codes or mess with the data encoded in the QR code for their agenda. These are common ways in which scammers can misuse QR codes:

Fake QR codes for contactless payments

Scammers replace a legitimate QR code placed in public settings like parking meters, restaurants or stores with a fake QR code that redirects payments to their account instead of the legitimate business.

There have been instances of scammers using QR codes to trick sellers on online marketplaces. They ask the seller for bank details to purchase an item, then send a QR code to the seller asking them to scan it and enter a one-time password (OTP) to receive the agreed amount.

The scammers often create urgency or engage the victim in incessant phone calls to distract them enough to overlook red flags.


QR code phishing

Much like phishing emails or messages with links that can lead to a spoofed website capturing details such as your login information or financial details like credit/debit card numbers, scammers can use a QR code to lead people to such malicious websites.

Scammers can plant a fake QR code that encodes a URL to a website to execute a drive-by-download attack, where malware is downloaded to the user’s device without their informed consent when they visit the malicious website through the QR code.


Actions executed through QR code scans

QR codes can also perform activities on your behalf when scanned, like calling a number or sending a message. While this may be a quick way to get in touch with a business for inquiries, it could also be a way for scammers to make phone calls or send messages on your behalf to carry out further scams.


Tracking via dynamic QR codes

QR codes are categorised as static and dynamic based on how data is encoded. Static QR codes directly encode data and cannot be edited once published, whereas dynamic QR codes encode a URL that leads to a page hosting further data.

With Dynamic QR codes, creators can edit the encoded data even after publication and track user activities such as scan time, location and device type for business analytics. Cybercriminals and scammers can use such features provided by dynamic QR codes for bad intent.


Malware download by scanning QR codes

Makers of an app can create and publish a QR code to allow users to download the app quickly. However, scammers can create a fake QR code for a legitimate app to entice users to scan it. But instead of the app, the QR code prompts the download of malware onto the user’s device that allows them access to the victim’s sensitive personal information, financial details and logged-in accounts.

The malicious possibilities are endless once the cybercriminal has direct access to a victim’s account.

To protect your device, go to the official app store, find the advertised app, check its reviews, ratings and legitimacy if it is previously unknown to you, and download it from the app store directly if it checks all the boxes of being a safe app.

Also read: What are Chase fraud alert emails?


Follow these steps to protect yourself from QR code scams

As new technology like QR codes becomes widely popular, scammers and cybercriminals are bound to find security loopholes. We, as users, can understand the security vulnerabilities and use the tech safely rather than not using it at all.

Check the legitimacy of the QR code

Regarding physical QR codes in public spaces like restaurants and parking meters, look out for signs of double-pasted QR code stickers. Look for official company branding on the QR code to confirm that it is put up by said company.

When in doubt, confirm with one of the company employees or representatives about the legitimacy of the QR code before scanning it.


Look for suspicious URLs

Once you scan the QR code, a link preview is often displayed. If the QR code link seems different than the target website, or if it is shortened in a way that the destination is unclear, do not click on it. Ask the employees or company representatives for the long URL and type it into your web browser to access the site directly.

If the URL leads to a login page that requires you to enter your credentials or asks for sensitive information like your address, government ID number, or financial details, double-check the page for signs of spoofing before entering any details. Look for spelling mistakes in the domain name and the page, lack of branding, poor website design, and text that creates a sense of urgency, like ‘your account will be locked until you enter your details’.

You can check with a company employee and type the URL directly in your web browser.

It is better to take two extra steps than risk financial losses, identity theft or other cyber-attacks.


Don’t scan QR codes for enticing rewards

Scammers compel targeted consumers to scan a malicious QR code with promises of high rewards, discounts or unbelievable deals. To avoid being scammed, cross-check the legitimacy of the discounts, deals and coupons by visiting the official website and availing the reward from there rather than scanning a QR code.

A delivery person handing over packages to a customer at their door.

Scammers can club a fake QR code scam with another prevalent fraud called a brushing scam.

In a brushing scam, third-party sellers use popular retailers like Amazon to deliver unordered parcels to customers, making it seem like a gift. They then post a false review on the ‘customer’s’ behalf to increase their ratings and sales. To scam the customer, the parcels can have a QR code promising deals and coupons, but in reality, it is a link to a malicious website or a front to download malware onto the user’s device.


Avoid scanning QR codes to contact someone

Rather than scanning a QR code to contact a company or a representative via phone, email or a message, go to the company website and contact customer support or the concerned representative from the details provided on the website.

Scammers use the direct contact feature for phishing scams wherein the contact person is a scammer who can use social engineering tactics to get you to perform unsavoury tasks. They can use this feature to send messages or place phone calls to scam other people on your behalf.


Be cautious of QR codes sent via emails, messages and social media accounts

Like phishing emails and messages with a malicious link, cybercriminals can send you QR codes through emails, messages or social media DMs to get you to scan the malicious QR code to steal your credentials, personal details or financial information.

Even if a trusted source contacts you through the above-mentioned channels to get you to scan a QR code, contact the person off the platform to confirm that it is them and not a scammer who has hacked into their account or created an impersonated account.

The rise in QR codes is a concern enough that the FBI issued a warning in 2022 to inform consumers of the potential threat. Being cautious and taking the long route at times can help consumers adopt the technology without falling prey to common QR code scams.

Also read: How to identify a fake text message?

Vanashree Chowdhury

Vanashree Chowdhury

Being a tech enthusiast, Vanashree enjoys writing about technology and cybersecurity. She is a designer and marketer by profession and is deeply passionate about working on campaigns for social issues. You can contact her here: vanashreec@protonmail.com

>