Updated February 5, 2024
Convenience is king these days, and QR codes are a testament to this. By providing a quick and efficient way to access information, QR codes have become an integral part of our daily lives. It’s reported that the number of US smartphone users scanning a QR code will increase from 83.4 million in 2022 to 99.5 million in 2025. It’s a technology tool that is easy to create and easy to use. Unfortunately, those attributes have also provided opportunities for cybercriminals to use QR codes in malicious ways, leading to the rise of QR code phishing scams.
So, what exactly is a QR code?
QR codes, or quick response codes, have been around since the 90’s. They are a two-dimensional barcode, and they seemed like they were going to be relegated to the history books of technology until they made a resurgence during the pandemic. QR codes ended up being an easy tool for limiting interactions at restaurants and other service businesses during social distancing. Now they are everywhere – on TV, at the airport, in restaurants, you name it.
Understanding QR code phishing scams
Anyone can create a QR code using several online tools. And for the most part, scanning a QR code on your phone is typically harmless. But that QR code ultimately provides you with a link, and bad actors can then easily take you to a spoofed website to gather personal information and steal credentials.
QR code phishing scams typically follow a specific pattern. First, the scammer generates a malicious QR code linked to a phishing website or malware. This code is then placed in public areas or sent via email or text message disguised as legitimate promotions or services.
When an unsuspecting user scans the fraudulent QR code using their smartphone, they are redirected to a fake website that mimics a genuine site they trust. The user may be asked to enter sensitive information such as login credentials, credit card details, or personal identification numbers. It’s also possible that scanning the code might trigger an automatic download of harmful software onto their device.
Scammers put their QR codes in places where people typically expect to find them like parking meters, restaurant menus, and even in emails. They simply wait for someone to scan the code and access the link.
Here is a summary of the three primary ways QR code phishing scams work.
How QR code phishing scams work:
Fake websites
One common tactic involves redirecting users to fake websites that closely resemble legitimate ones. For example, a QR code might lead users to a malicious clone of a banking website, prompting them to enter their login credentials.
Malware downloads.
Malware downloads
Another method involves initiating the download of malware onto the user's device. Once the QR code is scanned, the device may automatically download malicious software, compromising the user's data and privacy.
Data harvesting
Cybercriminals may use QR codes to collect personal information by directing users to fake surveys or forms. Unsuspecting individuals may willingly provide sensitive details, thinking they are interacting with a trustworthy source.
Let’s take a deeper dive into three examples of QR code phishing scams.
Three QR code phishing scam examples
Parking meters
The Austin, Texas police department recently reported finding 29 fraudulent QR codes on the city’s parking meters. When unsuspecting victims scanned the QR code, they were sent to an official-looking payment page to pay for parking. But when they entered their credit card information, it was sent to scammers who could then use it to make fraudulent purchases.
Restaurants
With a tight labor market, many restaurants have continued to provide QR codes to customers for menu viewing and ordering post-pandemic. Scammers have taken advantage of this trend and can replace these QR codes with codes that redirect you to a phishing website that will steal your personal information.
Emails
While most email services can detect and warn you of malicious links and attachments, they can’t always do the same for malicious QR codes. These scams typically involve receiving an unsolicited email that contains a QR code needed to “view” something that recipient would find important – like a failed payment or shipment from a retailer you trust. The QR code is sent with the enticement of completing the transaction or finalizing the delivery. Recently, workplace QR code phishing examples have also emerged as spoofs of Microsoft security alerts directing employees to update their account’s security settings.
The dangers of falling victim to QR code phishing scams
The consequences of falling victim to these scams can be devastating. Once cybercriminals have your sensitive data, they can commit various types of fraud such as identity theft and unauthorized transactions on your bank accounts.
Moreover, if your device gets infected with malware from scanning a malicious QR code, it can lead to further complications like data loss and privacy invasion. The malware could also turn your device into part of a botnet – networks of infected devices used by hackers for coordinated cyber-attacks.
Avoiding QR code phishing scams
The good news is there are several steps you can take to protect yourself from QR code phishing scams.
Be cautious:
Before scanning any QR code, ensure that it comes from a legitimate and trusted source. If you receive a QR code via email, messaging apps, or social media, double-check the sender's identity. Be careful about scanning QR codes in public spaces.
Verify the source:
If you receive a QR code from a trusted source via email, confirm separately with a phone call or text message that it is legitimate.
Examine the URL:
Before interacting with the content, review the preview of the QR code’s URL destination. Make sure the website uses HTTPS, doesn’t have any misspellings, and confirm the domain name in a separate browser.
Keep your device updated:
Regularly updating your device’s operating system and apps can help protect against malware and other security threats.
Don’t share personal information:
Be extra wary if a QR code takes you to a site that requests payment or personal information.
Stay vigilant against QR code phishing scams
While QR codes offer convenience and efficiency, they also present new opportunities for cybercriminals to exploit unsuspecting users. By understanding how QR code phishing scams work and taking preventative measures, you can enjoy the benefits of this technology without falling prey to these scams. So next time you're about to scan a QR code, take a moment to ensure it's safe – it could save you from a world of trouble.
The importance of security awareness training
Organizations should consider investing in security awareness training for employees to recognize and mitigate potential risks associated with QR code phishing scams. The training should emphasize the importance of verifying sources and the potential consequences of falling victim to a variety of phishing scams, including QR codes.
In addition to providing security awareness training for your employees, the team at Locknet Managed IT can do a full security assessment of your organization to find the gaps that may be putting you and your employees at risk.
