Fake QR code: How to spot QR code scams

What is a fake QR code?

A fake QR code is a code generated with a link to a malicious or spoofed website. “Fake” in this instance doesn’t mean that the code itself doesn’t work, but that it was created with bad faith. A person can scan the code as normal, and it will work. However, the content it leads to may be hijacked or deliberately created to mislead the user.

What is quishing?

QR phishing, or quishing for short, involves using such bad-faith codes to redirect users to malicious websites or files. Similar to phishing emails or spam text messages, a quishing link can imitate a real service provider and prompt the user to input their login credentials, payment details, or other personally identifiable information. Cybercriminals can then use the stolen data for identity theft, ransomware, or other illicit activities.

QR code scams are on the rise because they can effectively bypass security filters that an email inbox would apply. Instead, a user can scan the code and open it on their browser without additional security checks.

How do QR code scams work?

The cycle of a QR code scam starts with a malicious website. Scammers create a page to gather and steal user data. They then create a fake QR code that links to this website. Alternatively, criminals might use DNS poisoning to redirect traffic from a legitimate website already encoded with a QR to the malicious website, thus spoofing the QR code itself.

Once the fake QR code is ready, the waiting game begins. Whether the scam succeeds or not depends solely on whether the user interacts with it. To increase the likelihood of the code being used, scammers can print it out and place it in public locations or use compromised email lists to send it to a broad range of targets.

When the user scans the link, they can choose to interact with the spoofed website. If they choose to open the link and interact with it, for example, by entering their personal information into the fields provided or selecting to download the files in the link, they reveal this data to the cybercriminals or infect their personal device with malware.

If the user enters personal data into the website, cybercriminals can use it to impersonate them, gain unauthorized access to their accounts, access their financial information, or sell the information on the dark web for profit. If the user downloads and opens a malicious file, cybercriminals can use it to gain backdoor access to the device, install keylogging software, infiltrate the device network, or otherwise compromise device security.

How common are QR code scams?

According to the QR code generation service QR Tiger, in 2023, quishing surged by 51%, with over 8,000 attacks observed between June and August of that year, showing a sudden increase in the threat. Detection of quishing scams is a massive problem. Since they can bypass email spam filters and the user may not check the link before opening it, less than 40% of quishing scams could be detected.

With more businesses using QR codes for marketing and communication purposes, the number is expected to continuously increase. Cybercriminals might use spoofed links or redirect traffic from links attached to legitimate QR codes to conduct their schemes. The lack of measures to detect and block false QR codes may also impact the efficacy of these scams.

How to spot common QR code scams

Using QR codes maliciously is fairly simple because you can’t verify the code’s content before you scan it. For this reason, any code you come across is as likely to be a legitimate redirect or a guerrilla marketing campaign as it is a scam.

Emails and text messages

QR codes can be included in emails as attachments or images that the user can quickly scan to learn more. Likewise, some texting services can allow MMS messages containing QR codes. Sending fake QR codes over email or text can be an effective way to redirect the target to a phishing website. Since a QR code is easy to generate, it can be a low-stakes scam for the cybercriminals, allowing a quick and easy way to share a spoofed website with many users at once.

Social media posts

QR codes are a common way for users to share content on social media, especially on platforms where sharing links might be restricted. Some social media sites can automatically detect and flag scam links. Using an image of a QR code instead helps cybercriminals bypass this block and share their scam more efficiently.

Pop-up ads

QR codes in pop-up ads may be less effective than other scams because an adblocker might filter them out. However, they allow for a more effective way to get the users to access the scam link. Pop-up ads are usually interactive, meaning that the scammer can add a link not just inside the QR code but also make it accessible by just clicking the ad. The user then unintentionally opens the scam site and might interact with it, thinking it’s legitimate.

Sign-up forms

Sign-up forms are an easy way for cybercriminals to gather information they can use for different types of identity theft. A user scans the QR code and opens a sign-up form for a newsletter, subscription, or other service. They enter personal details, including their legal name, home address, and payment information, which cybercriminals can then access and use maliciously.

Shopping scams

QR shopping scams typically focus on stealing financial information. A user scans the code expecting to receive a special discount or exclusive access to an item or service. They enter their payment details and delivery address. However, instead of receiving their desired item, they end up unwittingly submitting their financial information to criminals.

Restaurant menus and payments

Restaurants often allow customers to scan QR codes to access the menu or pay the bill. Criminals can hijack the DNS traffic, redirecting it to a scam site that looks like the payment page. The customers then enter the payment information as normal, while the criminals gain their financial details, and the bill is left unpaid.

Flyers in public spaces

A common way to share a fake QR code is to print it out and place it in a public place, like a bulletin board or a street sign. Such flyers often contain very little information besides the code, making them indistinguishable from other QR codes. The aim is to get as much exposure as possible by placing the code in a public location for passers-by to scan it out of curiosity. If they scan the code and interact with its hyperlink, they may fall for the phishing scam.

Physical mail

Similar to public flyers, scammers may place letters containing fake QR codes directly in physical mailboxes. These letters can be part of broader scams. For instance, they may imitate legal documents, overdue payment warnings, or requests to provide further information. For the recipient’s “convenience,” these letters contain a QR code they can scan to access a quick way to make a payment or submit information. The scammer can then obtain this data and use it for identity theft, credit card fraud, or other criminal activities.

Cryptocurrency and NFTs

People often share QR codes to mine new cryptocurrency coins or access non-fungible tokens (NFTs). Fake codes used in crypto scams often contain malware and can be shared from one crypto wallet to another. For instance, a user might receive a file containing the QR code in their digital crypto wallet. Once they scan the code and open it, they download a file claiming to contain a token. If they interact with the file, hackers can overtake their device with malware and use it to steal assets in the wallet.

Fake QR code scanner apps

In some cases, scammers might create a fraudulent QR scanner app instead of using a specific code. The user installs the app and grants it a high level of permission to access the device. The app actually works as malware and is used to access internal files, keylog the user’s keyboard entries, and steal sensitive information.

How to identify a fake QR code

A fake QR code isn’t easy to identify just from the outside. Each code consists of just black squares, with each creating a unique pattern that provides no information about what’s actually encoded inside. This means you can’t know what the code contains before you scan it.

However, you can see the signs of a fake QR code based on context clues surrounding it:

• The code is the only element. Cybercriminals might not want to be too revealing about their schemes. If you spot a QR code that doesn’t contain any surrounding information, avoid scanning it — you have no way of knowing what it relates to.
• Grammatically incorrect language. One of the most common telltale signs of phishing scams is incorrect or strange grammar. In general, you can follow the same rules you would use to identify phishing emails to notice suspicious QR code use.
• Suspicious link preview. Scammers often use link shorteners and custom redirects to make their phishing sites appear more legitimate. Try to copy the link before opening it and check if it’s a real website or a scam.
• Missing visual components or design inconsistencies. Phishing websites can appear very similar to real ones. If you open a QR code, check the real website on a separate tab and see if there are any differences in its layout and visual elements.
• Unexpected automatic downloads. QR codes can mask malicious files. If you open the encoded link and your device automatically downloads a file, don’t open it. Instead, run it through an antivirus check or delete it altogether.
• Pressure tactics and urgency. Cybercriminals often use pressure and manipulation in online scams to ensure their targets fall for the scheme without overthinking it. Don’t rush into submitting sensitive information without double-checking if the request is real.
• Requests for highly sensitive information. Scanning QR codes can lead to websites that require you to provide personal information, like your full name, address, Social Security number, or banking details. Avoid providing any identifying information without first confirming that it will be processed securely.

How to check if a QR code is safe or not

The QR code itself reveals little about its content before you scan it. However, you can use some context clues to tell if a QR code you’ve come across is safe or not. See if there’s external information surrounding the code, like a description of the service, its provider, and where the code redirects. If you can, double-check the website or service provider that’s advertised with the code. If you identify any of the aforementioned red flags or simply have doubts about the code’s security, avoid scanning and interacting with it.

Make sure you use a secure QR code reader. Your device may have a built-in reader with security features that can check the links before you open them. Be mindful of third-party scanners — check their reviews and user feedback before installing, in case they don’t offer security checks or are malware in disguise.

What can happen if you scan a fake QR code?

Simply scanning a fake QR code shouldn’t put your device or data at risk. However, the danger lies in actually interacting with the information encoded in the QR. If you open and interact with the website by downloading files it contains or entering your personal details, you could become a victim of a quishing scam.

• Phishing. The personal details you submit on the website used for quishing can be stolen and mishandled by cybercriminals.
• Unauthorized payments. If you submit your financial details, hackers may make payments or take out loans in your name.
• Malware installation. You may accidentally infect your device with malware and grant criminals access to it.
• Data loss. With malware installed, cybercriminals may steal your personal files and delete them from your device.
• Identity theft. Depending on the information you provide, ranging from your full name and email address to your Social Security number, cybercriminals may use it for different types of identity theft.

What to do if you scanned a fake QR code

If you only scanned the QR code but didn’t interact with it, you should be in the clear. Delete any screenshots or photos of the code from your device to avoid accidentally interacting with it in the future. However, if you scanned the QR code and interacted with the encoded content or downloaded and opened a suspicious file, you should immediately take security precautions.

1. Disconnect your device’s internet connection and close the website immediately. If an automatic download has started, switching off the connection will prevent it from finishing.
2. Delete any suspicious files on your device and don’t open them in case they’re malware.
3. If you opened any new files after scanning the QR code, run an antivirus scan to ensure your device is safe from threats.
4. If you submitted your account information to the phishing website, change your login credentials immediately. Make sure to update other accounts that may use the same login details.
5. If you entered your financial information, freeze your credit card. This will help prevent criminals from accessing and mishandling your finances if your identity is stolen.
6. Alert your bank of potential identity theft and data breach. That way, if they notice suspicious financial activity, they can flag it and inform you.

How to recover from a QR code scam

You should treat quishing attacks similar to other online scams and follow the best practices to protect your personal information as quickly as possible. By acting proactively, you improve your chances of preventing identity theft.

• Contact your bank and credit providers. If your bank details were stolen in a quishing scam, get in touch with your bank and credit providers to report an incident. You can request any of the three major credit bureaus — Equifax, Experian, and TransUnion — to freeze or lock your credit account.
• Report the fraud to the authorities. File a police report about stolen personal information and contact the Federal Trade Commission (FTC) to report identity theft.
• Monitor your personal and financial accounts for unusual activity. Look out for unusual login sessions, unauthorized payments, or attempts to remotely access your devices.
• Reinstall and delete apps or reset your device if it’s compromised. Some malware can be trickier to remove. Consider resetting your device to its factory settings to completely remove suspicious apps.

How to protect yourself against QR code scams

QR code scams can be unpredictable and hard to identify. However, you can protect your personal information from quishers by using reliable security tools and keeping your data in check.

• Keep your device and apps updated. Regular updates help patch security exploits that QR scams might try to take advantage of.
• Run routine antivirus scans. Regularly checking your device for malware and other issues lets you respond to active threats quickly.
• Use secure QR scanner apps. Some apps have spam filters that let you know if the code you’ve scanned leads to a flagged website.
• Be cautious when and where you share your personal information. Always cross-check the websites to see if they’re legitimate before you submit sensitive data, like your full name or payment details.
• Use online identity protection services. Take a more proactive approach to your personal security. With an identity theft protection service like NordProtect, you can get online fraud coverage and receive up to $10,000 in reimbursement for losses caused by a scam.