close
close

How to avoid dangerous fake QR codes

Posted on by Pranco
How to avoid dangerous fake QR codes

Nowadays QR codes are everywhere. While they make it easy to access websites, apps and more, the iconic codes have given hackers a new way to get money or private information. Enter: Quishing. Keep reading to learn more about how to stop scams, why they’re concerning, and how you can protect yourself from falling victim.

What is a quishing scam?

A QR code, short for ‘Quick Response’ code, is a two-dimensional barcode made of small black squares that stores information ranging from tickets to restaurant menus. Because it can be scanned with a smartphone or tablet’s camera, the technology makes it easy to retrieve information in no time.

This easy access is also attractive to bad actors and has led to a scam called “quishing,” or QR phishing. Like traditional phishing attacks, this is done to trick you into unknowingly giving away private or financial information, but it all starts with a QR code.

How does quishing work?

In many cases, a quishing attack starts with a e-mail. The QR code is often sent as a message attachment and appears to come from a legitimate source, such as a bank lender, reports TechRadar.com.

When you then scan the code, you will be taken to a malicious link on the iInternet. The scammer hopes that you submit your details thinking you are logging in to an official website (such as a bank, for example).

In more advanced cases, the scammer can cause even more damage. Scanning that fake code could install malware or other dangerous software that could infect your device, according to experts from Experian.com. This could result in a data breach or a lockout of your device unless you pay the requested ‘ransom’.

The scammer may also be able to send a modified QR code to access the payment platforms you use, follow certain social media accounts of your own, or send emails using your email address. This can significantly increase the reach of cybercrime as others become targets of phishing attacks from your compromised accounts.

Why quishing is so dangerous

A phone that scans a QR code

Virojt Changyencham/Getty

A suspicious email or text message can be enough to alert you that something is wrong, hopefully preventing you from scanning the fake digital QR code. But quishing is starting to spread to public locations, making the scam all the more worrying.

In fact, it has been reported in three states so far KJCT News in Colorado, and the Interstate Technology and Regulatory Council expects the scam to become even more widespread. In these cases, fraudulent QR codes have been placed in public places where it would make sense for them to appear.

Tampered QR codes can appear in restaurants, shops, bars, on packages or even on parking meters/garages. This became an important issue in Great Britain this summer, where scammers stick these codes on parking meters. Users would then be taken to a website designed to steal sensitive information, thinking they were just paying their parking fee.

The big problem: any unsuspecting consumer or citizen will not be able to notice that he is being deceived. “Quishing is especially effective because it is impossible for a person to read a QR code without electronic assistance,” write the professionals at Experian.

The contents of the codes can often be hidden and slip past cybersecurity tools, so you won’t know that the code you see was created by an imposter. Even cyber experts have pointed out how sophisticated this scam can be, depending on how tech-savvy the hacker is.

What to do if you’ve been ‘outed’

If you think you have fallen victim to a quishing scam, your first step should be to protect your data. This means you will need to change your login details and passwords for online accounts. If you suspect you have suffered financial consequences, you should contact your credit card company or bank.

For added security, you may want to set up a free fraud alert for yourself through the credit reporting agencies Experian, TransUnion, or Equifax. But if you experience identity theft, notify the Federal Trade Commission, which will help investigate this type of fraud.

How to avoid a quishing scam

Scammers may have found what they think is a successful way to target people, but staying alert can help ensure you don’t fall into their trap. Here are some helpful ways to avoid a quishing scam:

  • Look for spoofed codes: If you are scanning from a paper QR code in a public place, make sure there are no additional stickers on top of the original code. These would indicate a spoofed code placed by a bad actor.

  • Double check if it’s authentic: Only trust codes from a person or organization you recognize. For example, if a restaurant has one for a menu, check with an employee to make sure the QR code is legitimate.

  • Be wary of vague URLs: Carefully examine the URL that comes from a QR code. A short website address that contains strange characters or does not start with “, could be fraudulent. If in doubt, visit the official website of the organization or company.

  • Don’t use one to download an app: Avoid downloading apps directly from a QR code. Instead, go to the app store for your device.

  • Beware of unsolicited QR codes: When you receive an email with a QR code (or a text message) from an unexpected sender, do not scan it. If you think it is safe because it came from someone you know, contact them first before taking action.

Keep scrolling for more:

Beware of this new Gmail AI scam: here’s how to keep your account safe

Evil Twin WiFi Scam: How to Stay Safe as Hackers Target Free Networks in Public Places

There’s a blackmail email scam flooding inboxes everywhere: here’s how to protect yourself