QR codes are no longer unfamiliar sights for B2B Go-To-Market strategies. You can find them in physical events, social media posts, and business cards. As QR codes become more popular, related scams are not uncommon anymore,

In May 2023, a major US energy company was under a phishing attack via email. Attackers used QR codes for this attack, asking recipients to scan the code and update their 2FA and MFA details, claiming they were about to expire. After scanning the code, they were sent to a Microsoft-lookalike phishing website, where their credentials were stolen. 

Cofense, an email security company, discovered this attack where more than 1,000+ emails were sent to steal the Microsoft credentials of the energy company’s employees. 

29% of these 1,0000+ emails containing malicious QR codes were sent to the energy company (name can’t be revealed). Other top 4 industries under this phishing attack were:-

• Manufacturing (15%)
• Insurance ( 9%)
• Technology (7%)
• Finance (6%)

This is one of the major attacks that made it to the news, but QR code scams are on the rise. As the Federal Bureau of Investigation (FBI) claims:-

“In 2022, the FBI started receiving reports of people who were falling victim to QR code scams, including some who lost money. One area of particular concern—frauds involving cryptocurrency. Crypto transactions are often made through QR codes associated with crypto accounts… making these transactions easy marks.”

• Source - FBI Tech Tuesday

Tracking these QR code scams is still difficult because of their nature:-

• Under-reported Scams: Many scams, especially smaller ones, go unreported, making it difficult to track a precise number.
• Traceability Challenges: Tracing QR code scams can be tricky due to the anonymous nature of online activity.

In this article, we aim to educate you about common QR code scams in 2024 and how to protect yourself from them. 

‍

How do QR code scams work?

There’s almost no way to determine if a QR code is fake unless we scan it. Scammers exploit this to put genuine-looking QR codes with fraudulent websites behind them. 

It’s not the QR code that is a problem - it is an enabler technology at max. However, once the user scans a QR code and gets redirected to a fraudulent website, they risk getting scammed. 

Just like other scams, these scams come behind seemingly true lies. These scammers could pretend to be tech assistants, retailers, social media contacts, government agencies, or bank and payment providers. As the Federal Trade Commission (FTC) mentions:-

“These are all lies they tell you to create a sense of urgency. They want you to scan the QR code and open the URL without thinking about it.”

QR code scams come in various flavors, but they all boil down to two main goals: 

1. Stealing your information: Classic phishing tactic to steal your personal and financial information. The user is sent to a fake log-in page mimicking a real website, and their data is stolen after they put in these details.
2. Infecting your device:  In these kinds of scams, the user is sent to a website that automatically downloads malicious software onto your device. This malware can steal your data, spy on your activity, or even lock your device and demand a ransom.

‍

10 Common QR code Scams in 2024

The FBI mentions cryptocurrency scams, but QR code scams come in various flavors. After the pandemic, QR codes are becoming more and more common, so are related scams:

1. QR code Phishing

For this scam, scammers create a fake website identical to a login page for a bank, social media account, or other online service. These fake sites are put behind QR code that are sent via email, text messages, social media, or even displayed on physical flyers. When you scan the code and enter your login information, it's stolen. 

This practice is known as "quishing" - a phishing scam using QR codes.

• Instead of putting the phishing URL directly in their emails, scammers put it behind a QR code. This adds an extra step but has a higher chance of going undetected through phishing detection systems, thus getting into more inboxes. 
• Similarly, QR codes on physical places have a higher chance of reaching people. 

How to protect yourself from Quishing:

Always double-check the URL before logging in to any website, even if you scanned the QR code:-

1. Look for the "https://" prefix and a padlock icon 🔒 in the address bar, indicating a secure connection.
2. Match and ensure that the URL of the website is similar. Look for any possible spelling changes - if found any, discard them altogether.
3. If there are too many numbers in the URL, it’s likely a fake portal designed to steal your information. Don’t process further.
   

2. Malicious App Downloads via QR code

In this kind of scam, scammers create seemingly legitimate QR codes that, when scanned, take you to a website offering a free game, utility app, or other helpful software. These downloaded apps may appear harmless, but they can steal your personal information, track your activity, or even infect your device with malware.

• The downloaded apps might look professional, mimicking popular options or leveraging current trends.
• Scammers often play on emotions, offering "free" or "exclusive" features to entice downloads.

How to Protect Yourself:

Here are some steps you can take to stay safe:

1. Only download apps from official app stores like Google Play Store or Apple App Store. These stores have vetting procedures to minimize the risk of malware.
2. Avoid app downloads solely by scanning a QR code. You have no way of knowing the source or legitimacy of the app.
3. Before installing anything, check app reviews and developer information. Reviews can reveal issues, and the developer's background can give you a sense of their reputation.
4. Be cautious of apps requesting access to features that are unnecessary for their function (like microphone or location). Excessive permission requests can be a red flag.
5. Utilize your phone's built-in QR code scanner, eliminating the need for additional app downloads. These downloads themselves can be a security risk.

3. Fake Wi-Fi via QR code

These fake QR codes, when scanned, connect you to a malicious Wi-Fi network disguised as a legitimate public hotspot (often found in cafes, airports, etc.). Once connected, these networks can steal your personal information, login credentials, and browsing activity.

• The QR code and network name might mimic those of a real public Wi-Fi provider, creating a sense of trust.
• The network may even offer a seemingly strong connection to entice users to connect quickly.

How to Protect Yourself:

Public Wi-Fi networks can be convenient, but security should always be a priority. Here's how to stay safe:

1. Avoid connecting to unknown Wi-Fi networks, especially those requiring a QR code scan. You have no way of verifying the network's legitimacy.
2. Use a trusted VPN service if you absolutely must connect to public Wi-Fi. A VPN encrypts your internet traffic, adding an extra layer of security.
3. Never enter sensitive information (passwords, credit card details) while connected to an unknown network. Wait until you are on a secure network before making any transactions.
4. Consider disabling the automatic Wi-Fi connection on your device. This can prevent accidental connections to malicious networks.

4. Fake QR code on Top of a Real One

In November 2023, a scam was discovered in an eatery in Seremban, Malaysia, where a fake QR code was pasted on the top of the payment QR code to trick users into paying the wrong recipient.

‍

Picture Source - Yingzz Lim Dkj

The eatery operator, Ms Loke Jingyi, was alerted about it to which she had to say, “I quickly checked the QR code image and was surprised to find, after peeling it off, that it was covering the correct image.” 

Picture Source - Yingzz Lim Dkj

Clearly, their customers were paying the wrong recipient. 

This is just one of the examples. Scammers can tamper with legitimate QR codes by placing fake stickers on the original code. This fake code, when scanned, could steal your payment information or redirect you to a malicious website. 

• The fake QR code might appear seamless, mimicking the design and placement of the original code.
• These scams are often found on public resources such as restaurant menus, parking meters, or product packaging.

How to Protect Yourself:

A little extra caution can help you avoid falling victim to these hidden scams:

1. Be wary of QR codes in public places, especially those that seem tampered with. Look for uneven edges, peeling corners, or an additional layer on top of the original code.
2. If unsure, opt for the original method. For instance, you can read the menu directly, use the official parking app, or visit the product website instead of scanning the code.

5. QR code Payment Scams

These QR codes look like any legitimate payment scanners but are designed to steal your financial information. These codes can be found anywhere a normal payment code might be displayed, both online and in physical locations.

• The QR code might look identical to a real payment code, often mimicking logos or color schemes of legitimate payment processors.
• Scammers might pressure you to scan the code quickly, creating a false sense of urgency (e.g., street vendors, crowded events).

How to Protect Yourself:

Verifying the recipient before any QR code payment is crucial. Here's what you can do:

1. Double-check the recipient details before making any payment using a QR code. Ensure the name and account information match the intended recipient.
2. Never scan a QR code for a financial transaction unless you directly received it from a trusted source. Don't rely on codes found randomly online or in public places.

6. Inverted QR code Scam

While less common, some scammers might use inverted QR codes (reversed colors) to appear unique and bypass suspicion. These inverted codes, when scanned, can still lead to malicious websites or attempts to steal information.

• The inverted design aims to stand out and appear different from standard QR codes, potentially lowering your guard and enticing you to scan.

How to Protect Yourself:

Treat any unfamiliar QR code with caution, regardless of color scheme. Here's how to stay safe:

1. If a QR code seems suspicious or promotes something you wouldn't normally scan, avoid it altogether. Don't be tempted by its unusual appearance.
2. Stick to familiar QR codes. If you're unsure about the legitimacy of a code, opt for a different method (e.g., visiting a website directly).

7. QR code Coupon Scam

This is one of the most common scams where users are asked to scan a QR code for lucrative offers. Once the user scans the QR code to redeem the coupon, they end up on malicious websites. These codes can be found online, in marketing materials, or product packaging.

• The QR code, coupon, and associated website might appear legitimate, mimicking real promotions.
• Scammers offer unrealistic deals, influencing your desire for a good deal.

How to Protect Yourself:

Verifying promotions directly with the source is key to protecting yourself from these scams. Here are some steps to take:

1. Don't rely solely on the information presented on the coupon code. Verify promotions directly with the company website. 
2. Look for official channels for coupon redemption. Most legitimate companies have established methods for these actions that don't solely rely on QR codes.
3. Any unrealistic discounts or deals should raise concerns. If the offer seems too good to be true, it probably is.

8. Product Activation Scam via QR code

These scams are rare as they are designed explicitly for some users. Users are asked to scan a QR code to activate a product or subscription. Like other phishing attacks, scammers might steal your personal information, install malware, or redirect you to a fraudulent website as you scan the code. 

• These QR codes can be found on product packaging, receipts, or online advertisements.
• Scammers mimic the product, website, and activation code perfectly but ask for additional personal information (login details, passwords, etc) that’s not required.

How to Protect Yourself:

Always verify the activation process directly with the manufacturer. Find an alternate source to activate the product/subscription:

1. Consult the product manual or manufacturer's website for official activation instructions. 
2. Look for a dedicated activation website or phone number provided by the manufacturer. 

9. Charity Donation Scam via QR code

In October 2023, the FBI warned US citizens about a charity fraud by soliciting fake humanitarian donations. In a public service announcement, they said:-

“As of October 12, 2023, an alleged fake charity scheme circulating on social media and via encrypted messaging platforms directed recipients to a website that may contain malware and claims to solicit cryptocurrency for ‘humanitarian’ purposes.”

Often, such scams are accompanied by a QR code, as it makes it more credible. Users scan the QR code to support a cause but end up getting their personal information stolen or, worse, sending money to scammers.

• The QR code and website design might look like a real charity and donation platform, creating a sense of trust.
• Recipient details are often fishy, with strange personal and organizational names. 

How to Protect Yourself:

Here's how to protect yourself from such scams:

1. Visit the official website of the charity you wish to support. Look for a dedicated donation page with secure payment options.
2. Avoid making any payments if you find unusual organizational or personal details.

10. Fake QR code Scanner Apps

While QR codes can be a convenient tool, some malicious actors create fake QR code scanner apps. These apps, disguised as legitimate scanners, pose a significant threat to your device's security.

• Fake scanner apps often appear professional in app stores or on websites, mimicking the design and functionality of real scanners.
• They might even offer additional features to entice downloads, such as built-in barcode readers or flashlight functionality.

How to Protect Yourself:

Avoiding these fake apps requires a cautious approach:

1. Utilize your phone's built-in scanner: Most smartphones have a built-in QR code scanner, eliminating the need for additional app downloads. This reduces the risk of encountering fake apps altogether.
2. Only download scanner apps from trusted sources: Stick to official app stores such as Google Play Store or Apple App Store. These stores have vetting procedures to minimize the risk of malware.
3. Read reviews and check developer information: Before downloading any scanner app, take a moment to read user reviews and research the developer's background. This can help identify potential red flags.
4. Beware of excessive permission requests: Legitimate scanner apps typically only require camera access for scanning. Be wary of apps requesting unnecessary permissions such as a microphone or location access.

‍

Checklist: Spotting a Fake QR code

QR codes can be a handy tool, but scammers can exploit them. Use this checklist to stay vigilant and avoid falling victim to a QR code scam:

• Be wary of QR codes displayed in unexpected places or from untrusted sources.
• Look for uneven edges, peeling corners, or an additional layer on top of a QR code, especially in public locations.
• Be cautious of inverted QR codes (reversed colors) that might appear unique to bypass suspicion.
• Avoid scanning codes without understanding their purpose. Legitimate codes are accompanied by clear instructions.
• Never scan a QR code for a financial transaction unless you received it directly from a trusted source. Verify promotions, product activations, or charity donations directly with the source.
• If the scanned code redirects you to a website with typos, grammatical errors, or an unprofessional design, be cautious.
• Don't be tempted by QR codes offering unusually high discounts, deals, or tax deductions. If it seems too good to be true, it probably is.
• Never download apps directly from QR codes. Always use trusted app stores such as Google Play Store or Apple App Store.
• Before making any payment using a QR code, thoroughly verify the name and account information match the intended recipient.

Note:  When in doubt, don't scan! If a QR code seems suspicious or promotes something you wouldn't normally interact with, avoid it altogether. 

‍

What to do when you accidentally scan a malicious QR code?

Here's what you should do if you accidentally scan a fake QR code:

1. Disconnect from the internet (if possible): Malicious QR codes can redirect you to websites designed to steal your information or download malware onto your device. If you're still connected to the internet, disconnect immediately. This can help prevent the website or malware from doing further damage.

2. Close the browser or app: Exit the website or app that opened after scanning the code. Don't click any links or buttons within it.

3. Change your passwords: Update your passwords for any accounts you might have entered information for on the fake website. This includes banking, email, and social media accounts. Consider using a password manager to create strong, unique passwords for all your accounts.

4. Uninstall the app: If you downloaded a fake app after scanning the code, uninstall it immediately. Go to your device's settings, find the app, and remove it.

5. Forget the network: If you are connected to a fake Wi-Fi network, forget the network on your device. This will prevent you from accidentally connecting to it again.

6. Contact your bank or financial institution: If you entered any financial information on the fake website, contact your bank or financial institution immediately. They can help you monitor your accounts for fraud and potentially cancel your cards.

7. Report the Scam: You can report the scam to the relevant authorities. This can help them track down the scammers and prevent others from falling victim. Here are some resources:

• In the US: Report scams to the Federal Trade Commission (https://reportfraud.ftc.gov/)
• In the UK: Report scams to Action Fraud (https://www.actionfraud.police.uk/)
• In India: Report scams to National Cyber Crime Reporting Portal (https://cybercrime.gov.in/webform/cyber_suspect.aspx) 
• Check your local authorities' website for reporting options in your country.

‍

Frequently Asked Questions

1. Can I trust a QR code?

QR codes themselves are just a way of storing information. They're like a digital puzzle that can hold website links, contact information, or even product details. The question of trust lies with the source and what’s behind the QR code. Don’t trust a QR code from an unverified source.

2. Can someone access the money in my account with a QR code?

Not directly. Scanning a QR code typically won't give someone direct access to your bank account. However, malicious QR codes can:

• Redirect you to phishing websites: These fake websites might look like your bank's log-in page, tricking you into entering your credentials, which scammers can then steal.
• Contain malware: Malicious code embedded in the QR code could download onto your device when scanned, potentially giving scammers access to your information or financial details if they have other vulnerabilities to exploit.

3. What is the warning about QR codes?

The warning is about being cautious about the source and content of QR codes before scanning them. Don't scan codes from untrusted sources or those promising unrealistic benefits.

4. Are QR codes safer than barcodes?

In terms of security, QR codes, and barcodes are similar. They both hold information. However, QR codes can hold much more data than barcodes, making them more versatile and potentially more attractive to scammers who want to embed malicious content.

5. Do QR codes collect information?

The QR code itself doesn't collect information. It simply stores it. However, the website or app a QR code links to could potentially collect information about you when you visit it. This is why it's essential to be cautious about where the QR code takes you.