While quick response codes, more commonly known as QR codes, have existed since 1994, they have recently grown in popularity during the pandemic as many restaurants replaced their paper menus with these scannable codes. QR codes have also grown in popularity with scammers as a tool for committing fraud.
Most QR codes that you will encounter are legitimate. So how do scammers leverage this convenient technology to their advantage? They use them to direct people to malicious websites, embed malware and redirect payment.
Advice on how to avoid QR code scams:
- Once you scan a QR code, check the URL to make sure it is correct. A malicious URL may look very similar to the intended, legitimate one but with typos or misplaced letters.
- Do not assume that a site labeled as secure — indicated by a padlock icon shown to the left of a URL beginning with “https://”—is actually a legitimate site. An analysis conducted in 2018 found that almost 50% of phishing websites were using “secure” websites. That number is likely even higher now!
- Examine the website itself. Look for things like altered fonts, misaligned graphics and overall poor quality.
- Avoid making payments or entering personal or financial information on a website navigated to through a scanned QR code. Instead, manually type a known and trusted URL.
- When scanning a physical QR code, make sure that it hasn’t been tampered with. For example, is the QR code printed on a sticker that has been placed over the original QR code?
- Do not download apps from a QR code.
- Do not download a QR code scanner app; it may increase your risk of downloading malware. (Most smartphones have a built-in scanner in their camera app.)