Where was the last place you scanned a QR code: At the doctor’s office, to learn more about a disease or medication?  To get an in-store discount coupon while shopping?  At your local restaurant, to see their menu?  If it seems like those weird square codes are everywhere lately, you’re right.  They’ve been widely used since the push toward touchless-everything in the early days of the COVID pandemic. 

Unfortunately, their popularity and ease of use also makes them catnip for criminals.  You won’t be surprised to know that QR code Scams are on the rise (the FBI issued a warning about them in 2022), and are increasingly dangerous.  Let’s take a look at some of the more common scams and how you can protect yourself against them. 

How QR Codes Work

QR short for “quick response”codes have been around longer than you’d think; they were originally developed for in-house use in industrial settings in order to speed processes and parts management. 

It’s essentially an upgrade and evolution of the older barcode technology, which used the width and spacing of the bars to encode data.  In a QR code, it’s the arrangement and spacing of the square pixels that conveys information.  QR codes have a lot more potential arrangements than barcodes, which means they can hold a lot more data, as well.  That data can be in the form of numbers, alphanumeric strings (text, URLs and the like), kanji characters or snippets of software code. 

In practice, they can be used for all kinds of things, from paying for parking to providing the electronic equivalent of a business card.  Singapore even uses them as a form of personal ID.  It’s exactly that versatility that makes them so useful to scammers. 

Scammers Don’t Reinvent the Wheel (Much)

If you watch renovation shows, you’ll often hear the hosts comment scornfully about houses that were “flipped” on a budget, saying things like “All they did was slap on a fresh coat of paint.”  That’s often how scammers work: they can be hugely creative, but more usually they’ll take an existing scam and give it a quick makeover to reflect whatever’s going on in the popular imagination. 

That’s why student loan forgiveness gave rise to a sudden spate of student loan scams, COVID relief spawned billions in benefits scams, the increasing visibility of cryptocurrency led to Bitcoin scams and so on. 

Similarly, most QR Code Scams are basically just a new-looking way for scammers to roll out the “greatest hits” that have already been successful in other forms.  It’s just a sneaky way to take another shot at your wallet using methods you might recognize if they showed up in a more familiar form. 

Common QR Code Scams

So let’s look at a representative sampling of these QR code scams. Some are slightly revamped versions of classic evergreen scams, while others explicitly exploit the unique characteristics of QR codes. 

QR code phishing scams

There are a lot of these, and they’re effective for a couple of reasons. One, is that the QR code hides the underlying URL, so you can’t tell if it’s legitimate or takes you to a bogus website.  Another, is that scammers dip into their usual bag of tricks to give you a reason for scanning the code: The message may seem like it comes from your bank or a business you deal with regularly, or even a friend or coworker (whose account, in this case, has previously been compromised). 

Another factor is simply that getting a QR code in an email or text message is still relatively rare, so even security-conscious people aren’t conditioned to be suspicious of them in the way we would be with an emailed link or a dubious attachment. 

“Quick install” QR code scams

These present themselves as a convenient way for users to install a new phone app, browser extension or what have you.  Installing malware on your devices is the real goal, and it happens under cover of the installation you thought you were doing.  Some of these are advertised as doing jobs that juuuust happen to require access to your storage or your camera — or your input at the screen, which means you give them those permissions without them going to the time and trouble of hacking your device. 

QR code malware scams

This is a variation on the phishing scam and the quick-install scam.  The QR code still takes you to a bogus website, and may still attempt to fleece you out of your money or personal information, but the site’s main purpose is to deliver what’s called a “zero-click” attack: Once you’ve visited the site, it can install its malware without your participation or knowledge.  Nation-states have used this kind of attack to spy on citizens and journalists, but criminals use it to steal your information and (often) your money. 

Premium, “VIP” and “insider access” QR code scams

Several common QR code scams exploit the near-universal desire to be treated like a big shot.  The come-on can be that you’ll get access to premium features on a site, app or service (even when those don’t really exist); or that you’ll get premium services that do exist at a sharp discount from the usual price.  Spoiler: You won’t, but they’ll get your money and maybe your information. 

A variation on this theme targets the crypto-curious, offering inexperienced cryptocurrency investors expedited services or unusually good investment opportunities, if they’ll just … scan this QR code …

Real–world QR code swapping

You’ll encounter physical QR codes in many places in the real world, from restaurants (for the menu) to retail stores (for in-store offers and discounts) and even parking meters.  Those are usually legitimate, but bold scammers can print their own bogus QR codes on stickers and position these over the real ones. It’s the ultimate form of phishing, because you know you’re visiting a legitimate site.  The end result is the same, though. 

Physical QR code phishing scams

Scammers may also “mash up” old-fashioned mail scams with modern QR code technology, sending you a letter, business card, pamphlet, coupon or special order with a QR code printed in it.  A particularly brazen version of this scam took place in San Francisco, where criminals placed bogus traffic tickets on windshields with a QR code that led to a very good copy of the city’s own ticket-payment site. 

QR code payment scams

Finally, there are a number of QR code scams oriented around payments.  Some businesses do legitimately use QR codes to make payment quick and easy, and of course those real-world codes are prime targets for the ol’ “put a sticker over it” trick.  Others ask you to scan a QR code so you can receive a payment, which isn’t how the system works (money only moves in one direction via QR code, and that’s out of your account). 

There’s even a real-world version of this, where brazen scammers approach you in a plausible location — a parking area with QR codes for payment, or perhaps a subway or other train station with automated payment — and a sob story about only having cash, in a location that requires electronic payment.  They’ll ask you to scan a QR code to transfer money to them electronically, so they can pay, and give you the equivalent in cash “right here, right now.”  Of course what you really give them is the ability to log in to your account and empty it. 

How to Protect Yourself From QR Code Scams

While scammers may love the option of reusing their same old tactics every time a new opportunity comes along, it actually works in your favor.  Once you understand that it’s the same old schtick, you’ll know that you can deal with it the same old way.  One piece of advice we repeat frequently on this blog is “don’t click the link,” and we can now update that to include “don’t scan the QR code!” 

That alone will protect you against most phishing scams, whatever the identity of the supposed sender.  If you have any question of the code (or the situation it’s supposed to address) being legitimate, you can go to the site or contact the company directly, rather than scanning the code.

Other steps you can take include: 

• Skipping the QR code and manually typing in the URL for the site you want to visit.
• Choosing a payment method that doesn’t require a QR code.
• Physically running a finger over any printed QR code in a public space, to verify that it hasn’t been tampered with.
• Treating a printed QR code of unknown origin with just as much suspicion as one in a text or email message.
• Never falling for a “scan this code so I can send you money” pitch.
• Applying the old rule that “if it sounds too good to be true, it probably is” to any unsolicited special offers or VIP privileges.
• Installing browser extensions or apps through their respective official stores, rather than directly through a QR code.  This added level of protection has been integral to Apple’s defense of its App Store against regulators and disgruntled developers who argue that it’s an illegal monopoly. 

Protecting yourself against malicious URLs in QR codes is a bit harder, because there aren’t a lot of ways to check one out without going to the actual site.  You can look at the URL in the address bar once it opens, and close it immediately if anything looks hinky.  Unfortunately that still leaves you vulnerable to a zero-click exploit. 

Not scanning the code at all is your best bet, of course.  You might also consider a specialized QR code scanner from a reputable antivirus company, which can alert you to possibly-malicious sites before you load them.  Just be sure that it’s a reputable company, and a legitimate download, because QR code readers themselves may often be (or be infected with) malware.

The More Things Change …

Most of us are familiar with the rather cynical French observation that the more things change, the more they stay the same (“plus ça change, plus c’est la même chose”).  That certainly applies to QR codes and their use by scammers.  It’s a new variation, but the same old tune. 

That works in your favor, as an informed citizen of the online world (which you undoubtedly are, if you’re reading this blog).  At the end of the day, your online safety still comes down to maintaining a healthy degree of skepticism and a habit of thinking before you click (or scan) anything. 

These are learned behaviors, which means you get to have a lot of control over your own digital destiny.  Helping keep you on top of these things (and providing the tools you need to do it) is Spokeo’s side of the equation. You’re welcome. 

Sources:

• U.S. Federal Bureau of Investigation – Cybercriminals Tampering With QR Codes to Steal Victim Funds
• Sprout QR – How do QR Codes Work? QR Code Technical Basics
• NBC News – ‘Biggest Fraud in a Generation’: The Looting of the COVID Relief Plan Known as the PPP
• Bitcoin.org – Avoid Scams
• CSO Online – Zero-Click Attacks Explained, and Why They Are so Dangerous
• Bleeping Computer – QR Codes Used in Fake Parking Tickets, Surveys to Take Your Money