QR Codes: A Growing Vulnerability to Cybercrimes

Written by

Consumer technologies often improve our lives, but they can give cyber-criminals new ways to threaten our privacy and steal our identities. As QR codes continue to grow in popularity, cyber-criminals have begun using them to conduct malicious attacks. 

Invented in the 1990s, QR codes surged during the pandemic. They offered a way for people to access information and conduct activities in a touchless way. Insider Intelligence reports US smartphone users scanning a QR code will increase from 83.4 million in 2022 to 99.5 million in 2025.

Smartphones make QR code scanning easy. By simply pointing the phone’s camera at the QR code, consumers can access promotions, digital tickets and more. However, not all QR codes are legitimate. 

QR Code Fraud is Rampant

QR code scams hijack normally safe QR codes and send the unsuspecting scanner to phishing websites that steal sensitive personal information. They take advantage of the fact that the human eye can’t detect a fraudulent QR code, so we trust that the code is taking us to the right website.

Identifying a fraudulent QR code is difficult. In fact, many don’t even know that fraud can happen through a QR code, scanning them wherever they go.

The FBI has issued warnings about tampered QR codes. Victims can be directed to a website disguised as legitimate, but that gathers identity information and inserts digital infections. 

Recent QR Code Scams

  • Parking meter payment: Fraudulent QR codes have often been placed on the back of parking meters, leading victims to assume they can pay for parking through the QR code. After paying through the QR code, some victims return to find their vehicle has been towed or has received a parking ticket. Plus, their payment information is typically harvested for later use.
  • Bank phishing scams: Bank branches often have a sign on their entry doors or an easel placard with special promotions encouraging the use of additional services or new account signup. A cyber-criminal can easily overlay the QR code with one that redirects to their malicious site. 
  • Cryptocurrency wallets: The rise of cryptocurrencies has lured many to transactions that are ripe for scammers. The trading of cryptocurrencies such as Bitcoin is conducted online, and the easiest way for both legitimate and fraudulent traders to direct investors to their digital wallets is through a QR code. 
  • Romance scams: Some cyber-criminals spend months building an online romantic relationship with their victim, ultimately offering financial advice or asking for financial assistance through a cryptocurrency exchange. The victim follows the provided QR code and transfers the requested money to the scammer’s digital wallet. 
  • Utility and government impostors: Cyber-criminals often disguise themselves as representatives from a utility company, the Social Security Administration, or the Inland Revenue Service (IRS) regarding an outstanding debt. The scammer claims that failure to pay will result in arrest, additional fines or shutting off access to electricity, gas or water. The cyber-criminal may tell the consumer that the payment portal for these services is currently offline, but they can submit payment through another portal they can access by following a link or scanning a QR code. 

How to Avoid Becoming a Victim of QR Code Fraud

The National Cybersecurity Center (NCC) advocates good cyber-hygiene so that if a malicious QR code is scanned, there is at least a reduced chance of it creating harm. Relevant practices include:

  • Once you scan a QR code, check the web address to ensure it is the intended site and looks authentic. Look for typos or even a single misplaced letter.
  • Be cautious about entering login, personal, or financial information from a site navigated to from a QR code.
  • If scanning a physical QR code on a sign, window, or placard, ensure it has not been overlaid.
  • Do not download an app from a QR code. Use your phone’s app store for a safer download.
  • If you receive a notice to complete a payment through a QR code, call or access the company’s website to verify. 
  • Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner in the camera.
  • If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.

While public awareness around QR code fraud is growing, much more must be done to prevent cyber-criminals from using the technology. That next step must include accountability from every business or entity that uses a QR code to validate their authenticity. 

What’s hot on Infosecurity Magazine?