In today’s tech-driven world, QR (quick response) codes are everywhere. From facilitating contactless payments to accessing menus and websites, these quick response codes offer convenience and speed and are trusted by almost everyone.  

But how do you know what you’re getting with a QR code?  

Fake QR code scams have quickly become a massive issue. These fraudulent codes can wreak havoc on your life, stealing your personal information, infecting your devices with malware, and even leading to financial loss. 

Here, we unwrap how to help avoid fake QR code scams to keep you and your private information safe. 

Jump Ahead: 

What Are Fake QR Code Scams? 

With the popularity of QR codes at an all-time high, scammers have begun to use them to perpetuate scams, creating QR codes through free online tools to mimic innocent ones. 

By exploiting your trust in QR codes, scammers aim to access and exploit your personal data. They can sell your information on the black market, use it to commit identity theft, or even access your online accounts and steal your money. In addition, fake QR codes can download malware onto your device, compromising your privacy and security. This malware can steal your data, spy on your activity, or even hijack your device for malicious purposes. 

Common Fake QR Code Scams 

Fake QR codes can appear anywhere, so it’s critical to be vigilant. Here are some of the most common places to find fake QR code scams:

1. Contactless Payments:

These scams target places like public transportation ticketing machines, vending machines, or other places where QR codes are used for contactless payments. Fraudsters cover the original QR code with a sticker containing their own malicious code. When scanned, unsuspecting users may unknowingly pay the scammer and provide them with their contact info.

2. Restaurant Menus:

These scams often appear as “digital menus.” When scanned, they may redirect you to a phishing website that looks like the restaurant’s official website but is designed to steal your personal information, including credit card details. 

3. Mail Shipments and Packaging:

These scams come in the form of flyers or brochures offering enticing rewards for completing surveys or entering contests. However, when you scan the QR code, it may lead you to a fake website designed to steal your personal information or download malware onto your device.

4. Fake QR Codes on Public Flyers:

Similar to the previous scam, these QR codes are often found on posters or flyers in public places. They may offer free Wi-Fi, coupons, or other tempting deals. However, scanning them may lead to phishing websites, malware infections, or unwanted subscriptions.

5. Fake QR Codes Sent in Phishing Emails:

These scams mimic legitimate emails from trusted companies or organizations. The phishing email may contain a message urging you to scan a QR code for more information or to access a special offer. If you scan the code, it may lead you to a counterfeit website designed to steal your login credentials or personal information.

6. Parking Meter QR Code Scams

Scammers have found a way to target unsuspecting drivers by tampering with parking meters. In parking QR code scams, criminals place fake QR code stickers over legitimate codes on parking meters or payment stations. When you scan the fake code, it redirects you to a fraudulent payment website designed to steal your payment information. To avoid falling victim to this scam, always verify the payment URL matches the official city or parking service before entering any personal or financial details.

7. QR Code Package Brushing Scams

QR code package scams are part of a fraudulent scheme known as “brushing“, where scammers send packages of low-value goods to unsuspecting recipients. These packages often include a QR code to “confirm receipt” or “leave a review.” When scanned, the QR code directs you to a phishing website or downloads malware to your device. To protect yourself, never scan a QR code from an unsolicited package, and report suspicious packages to the retailer or platform. 

How do Scammers Use Fake QR Codes?

1. Stealing Your Personal Information:

Fake QR codes can be used to redirect you to phishing websites that mimic legitimate ones, such as your bank’s website or social media accounts. Once you enter your login credentials on these fake websites, scammers can steal your personal information, including usernames, passwords, credit card details, and even your Social Security number. 

2. Downloading Malware onto Your Device:

When you scan a fake QR code, it can trigger the download of malware onto your device. This malware can be used to steal your data, spy on your activity, hijack your device, or even lock you out of your own files and demand a ransom.

3. Sending Spam and Phishing Emails from Your Device:

Some fake QR codes can give the scammer access to your email account, allowing them to send spam or phishing emails to your contacts. This can further spread the scam and harm others.

4. Following You on Social Media:

Fake QR codes can be used to follow you on social media platforms without your knowledge. This allows scammers to gather information about you and your contacts, which they can use for targeted phishing attacks or even blackmail. 

How to Tell if a QR Code is Fake 

With the growing prevalence of fake QR code scams, it’s crucial to be able to identify the warning signs of a scam code. Here are some things to look for and best practices to remember.

1. Tampering:

Be wary of any QR codes that appear tampered with, such as stickers placed over existing codes, peel marks, or other signs of alteration. These are red flags that the original code might have been replaced with a fake one.

2. Link Preview:

If your device allows link previewing when scanning QR codes, take advantage of it. This feature displays the destination URL before you open it. If the URL looks suspicious, contains typos, leads to an unfamiliar website, or uses an unsecured connection, don’t proceed.

3. Website Red Flags:

Once you reach the website associated with the QR code, be vigilant and browse safely. Look for red flags such as: 

  • Unsecured URL: Always check for the “https” at the beginning of the URL and the padlock symbol next to it. These indicate a secure connection. 
  • Typos and grammatical errors: Legitimate websites typically have professional content and avoid typos and grammatical errors. 
  • Low-resolution images: Low-quality images are often a sign of an unprofessional, hastily created website, which can be a scam. 
  • Unprofessional design: Be wary of websites with a poor layout, outdated design, or excessive pop-up ads. 

 4. Extra Caution for Public and Mail QR Codes:

QR codes in public spaces or attached to mailings deserve extra scrutiny. These are more vulnerable to tampering and replacement by scammers. It’s best to avoid scanning them unless absolutely necessary and always double-check their legitimacy before proceeding.

5. Use Built-in Scanner:

Only use your device’s built-in QR code scanner through your camera app. Avoid downloading third-party scanner apps as some may be fraudulent and contain malware. 

 QR Code Scam FAQs 

Here are answers to common questions regarding QR code scams. 

How do I protect myself from QR code scams? 

To protect yourself from QR code scams, always be cautious when scanning codes from unknown or unsolicited sources. Before scanning a QR code in public places, inspect it carefully for any signs of tampering.  

If your device allows, preview the URL to ensure it looks trustworthy before clicking through. Be especially wary of shortened or suspicious links. Avoid providing any personal or financial information unless you are certain the source is legitimate. Using a QR code scanner with security features can also help by alerting you to any potentially harmful sites. 

What is an example of QR code phishing? 

QR code phishing could occur when a scammer sends you an email pretending to be from a legitimate company, such as your bank. The email might ask you to scan a QR code to access your account or verify information. When you scan the code, it directs you to a fake login page that closely resembles your bank’s site. Once you enter your credentials, the scammer can steal your information and use it to commit fraud or access your account. 

How do I know if a QR code is legit? 

To determine if a QR code is legitimate, first verify that it comes from a trusted source. Consider the context in which the QR code is presented. If it appears in an unexpected location or doesn’t seem relevant, it may be a scam. After scanning, check the destination link before proceeding, making sure it leads to a recognizable and secure website, often indicated by “https” in the URL. Using a reliable QR code scanning app that offers additional security features can also help identify potentially unsafe links. 

How do QR code scams work? 

In a QR code scam, criminals create fake or tampered QR codes to deceive you into visiting malicious websites. When scanned, these codes might redirect you to a phishing site where scammers can steal your personal or financial information. In some cases, the code may trigger the download of malware onto your device. Another common scenario involves scammers using fake QR codes to reroute payments, especially in places where digital payments are common, such as restaurants or parking meters. By disguising these malicious actions behind a seemingly harmless QR code, scammers can carry out their attacks without raising suspicion. 

Bottom Line 

Fake QR codes pose a real danger, but they can be avoided with awareness and caution. Be wary of tampered codes, unfamiliar websites, and suspicious content. Utilize your device’s native scanner and avoid third-party apps. Always double-check links before opening, and exercise extra caution with codes in public or attached to mailings. Remember, your vigilance is your best shield against these threats. 

For the best protection, consider IdentityIQ identity theft protection and credit monitoring services. With IdentityIQ, you can have peace of mind knowing your personal information is safeguarded by a suite of features such as a built-in VPN and antivirus software, identity theft insurance of up to $1 million underwritten by AIG, and 24/7 credit monitoring, internet monitoring, and dark web monitoring with real-time alerts.