Updated February 5, 2024
Convenience is king these days, and QR codes are a testament to this. By providing a quick and efficient way to access information, QR codes have become an integral part of our daily lives. It’s reported that the number of US smartphone users scanning a QR code will increase from 83.4 million in 2022 to 99.5 million in 2025. It’s a technology tool that is easy to create and easy to use. Unfortunately, those attributes have also provided opportunities for cybercriminals to use QR codes in malicious ways, leading to the rise of QR code phishing scams.
QR codes, or quick response codes, have been around since the 90’s. They are a two-dimensional barcode, and they seemed like they were going to be relegated to the history books of technology until they made a resurgence during the pandemic. QR codes ended up being an easy tool for limiting interactions at restaurants and other service businesses during social distancing. Now they are everywhere – on TV, at the airport, in restaurants, you name it.
Anyone can create a QR code using several online tools. And for the most part, scanning a QR code on your phone is typically harmless. But that QR code ultimately provides you with a link, and bad actors can then easily take you to a spoofed website to gather personal information and steal credentials.
QR code phishing scams typically follow a specific pattern. First, the scammer generates a malicious QR code linked to a phishing website or malware. This code is then placed in public areas or sent via email or text message disguised as legitimate promotions or services.
When an unsuspecting user scans the fraudulent QR code using their smartphone, they are redirected to a fake website that mimics a genuine site they trust. The user may be asked to enter sensitive information such as login credentials, credit card details, or personal identification numbers. It’s also possible that scanning the code might trigger an automatic download of harmful software onto their device.
Scammers put their QR codes in places where people typically expect to find them like parking meters, restaurant menus, and even in emails. They simply wait for someone to scan the code and access the link.
Here is a summary of the three primary ways QR code phishing scams work.
Malware downloads.
Another method involves initiating the download of malware onto the user's device. Once the QR code is scanned, the device may automatically download malicious software, compromising the user's data and privacy.
Cybercriminals may use QR codes to collect personal information by directing users to fake surveys or forms. Unsuspecting individuals may willingly provide sensitive details, thinking they are interacting with a trustworthy source.
Let’s take a deeper dive into three examples of QR code phishing scams.
The Austin, Texas police department recently reported finding 29 fraudulent QR codes on the city’s parking meters. When unsuspecting victims scanned the QR code, they were sent to an official-looking payment page to pay for parking. But when they entered their credit card information, it was sent to scammers who could then use it to make fraudulent purchases.
With a tight labor market, many restaurants have continued to provide QR codes to customers for menu viewing and ordering post-pandemic. Scammers have taken advantage of this trend and can replace these QR codes with codes that redirect you to a phishing website that will steal your personal information.
The consequences of falling victim to these scams can be devastating. Once cybercriminals have your sensitive data, they can commit various types of fraud such as identity theft and unauthorized transactions on your bank accounts.
Moreover, if your device gets infected with malware from scanning a malicious QR code, it can lead to further complications like data loss and privacy invasion. The malware could also turn your device into part of a botnet – networks of infected devices used by hackers for coordinated cyber-attacks.
The good news is there are several steps you can take to protect yourself from QR code phishing scams.
Before scanning any QR code, ensure that it comes from a legitimate and trusted source. If you receive a QR code via email, messaging apps, or social media, double-check the sender's identity. Be careful about scanning QR codes in public spaces.
If you receive a QR code from a trusted source via email, confirm separately with a phone call or text message that it is legitimate.
Before interacting with the content, review the preview of the QR code’s URL destination. Make sure the website uses HTTPS, doesn’t have any misspellings, and confirm the domain name in a separate browser.
Regularly updating your device’s operating system and apps can help protect against malware and other security threats.
While QR codes offer convenience and efficiency, they also present new opportunities for cybercriminals to exploit unsuspecting users. By understanding how QR code phishing scams work and taking preventative measures, you can enjoy the benefits of this technology without falling prey to these scams. So next time you're about to scan a QR code, take a moment to ensure it's safe – it could save you from a world of trouble.
Organizations should consider investing in security awareness training for employees to recognize and mitigate potential risks associated with QR code phishing scams. The training should emphasize the importance of verifying sources and the potential consequences of falling victim to a variety of phishing scams, including QR codes.
In addition to providing security awareness training for your employees, the team at Locknet Managed IT can do a full security assessment of your organization to find the gaps that may be putting you and your employees at risk.