QR Code Scams Are Getting Smarter - Stay One Step Ahead in Spotting Fake QR Codes

QR codes have become ingrained in e-commerce. They are used from restaurant menus to mobile banking, digital payments, parcel tracking, promotions, app downloads, and authentication. More than 2 billion users globally rely on QR codes daily.

QR scanners are also easily available. Most smartphone cameras have built-in QR scanning properties in their default software. So, scanning QR codes is quite easy.

Naturally, such an accessible technology will attract bad actors who aim to use it for fraud and scams. Today, we are going to discuss how QR codes are used for scamming and how you can spot them.

How Are QR Codes Used In Scams

Nowadays, QR codes are used in a variety of scams. Let’s take a look at some common forms of scams that utilize QR codes.

1. Phishing with QR Codes (Quishing)

Phishing is a sort of scam in which a bad actor will use a fake URL that is very similar to the original URL of a legitimate website to dupe people. The fake URL has very minor differences that often get ignored at a glance. 

For example, a URL that is “https://www.example.com” can be copied by a scammer by just changing a few letters, like this.

• http://www.example.com
• https://www.examplé.com

In those links, there is only a single letter difference from the original. Link one is missing an “S” from the HTTP, and link 2 has an “e” with a pronunciation marker. 

Or they use URL shorteners to hide the fake link. So, always be careful of URLs that look like “bit.ly,” “tinyurl,” and other shortened links.

Scammers use such fake links to direct users to fake websites that look like the real one and steal the login info of duped people. They ask them to log in and steal the login info entered on the fake website.

Quishing codes are often placed in public places near authentic signs to make them look legitimate. So, they are hard to spot as scam QR codes.

2. Malware Downloads 

Another method of using QR codes for scams is to provide a link that takes the user to a webpage that downloads malware on their device. 

Since QR codes can take automatic action once scanned, users cannot do much to prevent the malware download. So, they need a method of knowing beforehand that the QR code was fake and should not be scanned.

The downloaded malware can wreak all sorts of havoc on your device. It can steal all stored credentials, install a virus, brick your device, or install a crypto miner on it.

And all of this can be done by one unwitting scan of a fake QR code.

3. Payment Redirection

QR codes are one of the most used methods of contactless payments. So much so that many stores, donation centers, and cafes/restaurants have permanent printed QR codes only used for payments.

A savvy scammer can replace these publicly available codes with their own. When customers scan these codes to make a payment, they unwittingly send money to the scammer instead of the intended recipient.

That’s one of the worst scams to fall for because it requires lax security in multiple places at once to work.

So, these are some of the more high-profile QR scams. There are plenty of others as well, but I think we highlighted the dangers of QR scams pretty well with these three. Now, let’s check out how to avoid being scammed by a fake QR code.

How To Spot Scam QR Codes

Here’s how you can spot fake QR codes in advance and save yourself the trouble of getting scammed. 

1. Use an Online QR Scanner

Some built-in scanners offer previews, but dedicated tools give deeper inspection. Online QR code scanners don’t take any action automatically. Instead, they show you a preview of the decoded message and let you choose whether to take action or not.

For example, if I were to scan a QR code with an online QR scanner, I would be shown a preview of the link stored in the code. Now, I can check that link easily and spot if it has HTTPS and no spelling errors. 

If it is a shortened URL, I can use a URL Unshortener or Link Checker tool to see the real link and examine it for issues. This also works for other types of codes that provide contact info, text files, or emails. Instead of opening the app that works with that QR type, you just get a preview first, and you can choose to let it take the required actions or not.

Making this a habit will protect you from a lot of fake QR codes.

2. Do Not Enter Any Info After Scanning a QR Code

If you are using a legitimate QR code for payment processing, you won’t have to enter any kind of information afterwards. Similarly, if you are using a QR code to navigate to a website that you have been to before, do not enter your login information after scanning.

Usually, this happens during phishing. A bad actor may have created the exact same copy of a reputable website to dupe you. However, the real website has stored cookies on your device and does not need you to log in or provide any other information again. A phishing site has no such data, and it wants to steal it from you. So, it will prompt you to enter your information.

So, just remember this rule of thumb to not enter any kind of information after scanning a QR code to protect yourself from scams.

3. Always Check the Physical Area Around the QR Code

In public places, it is not difficult to paste a fake QR code on top of a real one. So, before you scan a code in a cafe, shop, or any other public space, check the physical code to see if it is a sticker on top of the original one. 

You may also find completely look-alike posters, but with different codes. Typically, one of the posters will be covering the other one. In this case, avoid scanning either code because it is better to be safe than sorry. 

Conclusion

So, there you have it, QR scams and how to stay one step ahead of them. The best practice is to always use a QR scanner tool to see a preview of the QR contents without affecting your system. This helps you spot fake codes in advance and protects you from scams.

Security is more about good habits than robust tools. So, always learn good security habits to safeguard your personal data and online life.