Are QR Codes Safe To Scan?
While Quick Response (QR) codes have been around for over 25 years, their use in everyday life has exploded since the start of the pandemic. But are they always safe to scan?
Few people give a second thought when scanning a QR code at a restaurant to view a menu or enter credit card information to pay for their meal. But scammers have started to take advantage of our trust in QR codes.
Since early 2022, the FBI has warned that fake QR code scams are on the rise [*]. These scams hijack normally safe QR codes and send you to phishing websites that steal your financial information (or worse).
So, how can you tell if a QR code is safe to scan? And what should you do if you think you’ve scanned a code that’s been tampered with?
In this guide, we’ll explain how fake QR code scams work, common scams to be cautious of, and what to do if you think you’ve scanned a malicious QR code.
How Do QR Scams Work?
Anyone can create a QR code by using a number of free online tools. This makes QR codes easy for businesses to use — but it’s also easy for scammers to take advantage of them.
To create a QR code, businesses go to an online QR code generator and input the URL to which they want to send customers — a menu, login page, survey, or payment processor. The program will then produce a unique QR code that, when scanned, automatically directs customers to wherever the QR code creator wants them to go.
That is, unless a cybercriminal has tampered with or replaced the QR code.
QR code scams take advantage of the fact that the human eye can’t “read” a QR code — so we need to trust that the code is taking us to the right URL or doing what it’s supposed to do.
But because QR codes are so easy to create, scammers can replace legitimate ones with their own fraudulent codes. These "fake" QR codes redirect you to malicious websites designed to steal your sensitive information. Unbeknownst to you, you could be offering your information to a fake payment terminal or a convincing look-alike login screen.
Scammers put their QR codes in places where people usually expect to find them — like at a restaurant or even in an email — and then wait for someone to scan the code.
What Happens If You Scan a Fake QR Code?
First off, there’s technically no such thing as a “fake” QR code. The codes themselves aren’t dangerous — it’s how they’re used that can become problematic.
A QR code doesn’t only direct you to a URL. Instead, there are a few different ways that scammers use QR codes to steal your personal information or commit fraud:
- You could be taken to a “phishing website.” Scammers create sites that look convincingly similar to what you expect, and then they ask for your sensitive information. But anything you enter — name, contact information, credit card number — goes to the scammer and can be used to steal your identity.
- Your device could be infected by malware. QR codes can also download malicious software onto your device such as malware, ransomware, and trojans. These viruses can spy on you, steal your sensitive information or files (like photos and videos), or even encrypt your device until you pay a “ransom.”
- The QR code could send an email from your account. QR codes don’t just send you to websites. Scammers can also program the codes to open payment sites, follow social media accounts, and send pre-written emails. For example, if you scan a malicious QR code, it can compose and send an email from your account. There are all sorts of ways that scammers can use QR codes to implement phishing attacks or potentially ruin your reputation.
With nearly 50% of people saying they feel most secure scanning QR codes in restaurants, bars, cafes, and stores [*], it’s easy to see how you could fall prey to a scam.
So where should you be most cautious when scanning a QR code?
The 9 Latest QR Code Scams
- QR code scams on parking meters and other contactless payments
- Fake QR codes sent in phishing emails (failed payments, credential phishing, etc.)
- Tampered QR codes in restaurants
- Fake QR codes sent through the mail (surveys, sweepstakes, etc.)
- QR codes on unexpected package deliveries
- QR codes at sham COVID-19 testing centers
- QR codes sent over social media (hacked accounts)
- Cryptocurrency QR code scams
- Fake QR code scanner apps that download malware
1. QR code scams on parking meters and other contactless payments
One of the most common uses of QR codes is to enable customers to quickly pay for goods and services, such as meals or parking. But any QR code placed in public offers a prime opportunity for a scammer.
For example, the Austin, Texas police department recently reported finding 29 fraudulent QR codes on the city’s parking meters [*].
When unsuspecting victims scanned the QR code, they were sent to an official-looking payment page to pay for parking. But when they entered their credit card information, it was sent to scammers who could then use it to make fraudulent purchases or even sell the victims’ personal data on the Dark Web.
Austin wasn’t the only city hit with this QR code scam. The police department in San Antonio issued a similar warning [*], indicating that there are likely more of these scams.
According to surveys, eight out of 10 people reported that they used a QR code for contactless payments in 2021 — double the number from 2020. This makes QR code payment scams one of the primary tactics used by scammers.
To protect yourself from these types of scams, never pay through a QR code — especially if the code was placed in a public area. Always double-check the website’s URL that is requesting your payment information (or ask a server, if you’re in a restaurant).
Warning signs of QR code payment scams:
- The QR code is in a public place or at a location where it could easily be tampered with.
- The payment site you’re taken to has signs of a fake website scam, such as bad grammar, poor design, or an odd URL.
- The URL name is different from what you expect to see, or it isn’t “secure.” (Secure websites use HTTPS — not HTTP — and will display a padlock symbol near the URL.)
2. Fake QR codes sent in phishing emails
Be cautious of any QR code that is sent in an email. While most email services can detect and warn you of malicious links and attachments, they can’t do the same for malicious QR codes.
These scams typically entail receiving an unsolicited email that contains a QR code needed to “view” a document, invoice, picture, or something else that is enticing to the recipient.
For example, scammers will often send “failed payment” emails that include a QR code.
These scams claim to come from a retailer you trust, like Amazon or Walmart. The email will claim that a recent purchase of yours didn’t go through and that you need to scan the QR code to complete the transaction.
But again, if you enter your credit card information, it will go straight to the scammer.
As a general rule, don’t scan QR codes that are sent to you in emails. If you think an online purchase didn’t go through, log into your account directly on the company’s website instead of using a QR code.
Warning signs of a QR code phishing email scam:
- Any QR code embedded in an unsolicited email can be a scam. If you don’t know the sender, don’t scan the QR code.
- The typical warning signs of a scam email are also indicators of a QR scam — such as coming from a generic domain (Gmail, Yahoo, etc.), containing spelling errors in the domain (“WALMRAT” vs. “WALMART”), and using urgent or threatening language, etc.
- The email is about a delivery, purchase, or account that you don’t have, didn’t request, or haven’t used recently.
- You receive an email from a friend or contact with a QR code embedded in it. Scammers can use hacked email accounts to launch phishing attacks from recipients who you’re more likely to trust.
3. Tampered QR codes in restaurants
Restaurants are among the most common places where Americans use QR codes. Most restaurants and bars use QR codes for customers to view menus or even order and pay for meals.
Scammers can replace these QR codes with codes that redirect you to a phishing website that will steal your personal information.
If you’re at all unsure about the QR code in a restaurant, ask a member of the staff. Show them the site and URL, and ask if it’s correct. To be extra sure, manually visit the restaurant’s website using your phone’s browser — and only pay in person.
Warning signs of a fraudulent QR code in a restaurant:
- Look for signs that the QR code has been tampered with, replaced, or covered up with a phony version.
- A QR code is located in an unusual place. Be especially vigilant about codes that can be easily moved — such as on napkin holders — or QR code stickers found on the table.
- The website you’re taken to shows signs of a phishing website — like missing the website’s branding, or requiring too much information to sign up for an account (address, phone number, credit card details, etc.).
4. Fake QR codes sent in the mail (surveys, sweepstakes, etc.)
Scammers will sometimes send physical mail containing QR codes claiming to offer giveaways, prizes, or instant coupons. But these are very often scams.
Regard physical junk mail the same as you would spam emails in your inbox. If you don’t know the sender personally, don’t click on (or scan) any links. If it is a legitimate company offering a discount or special offer, visit their website directly to find out.
Warning signs of a QR code scam in your junk mail:
- Any unsolicited piece of mail with a QR code could be a potential scam — especially from debt consolidation services [*].
- The mail piece offers deals that are too good to be true, such as big discounts on luxury items, guaranteed loans, or financing rates.
- The message creates a sense of urgency (“Today only!”) or is threatening (“A warrant will be issued for your arrest”) in its attempt to get you to act.
- You are requested to participate in surveys from Amazon. The company doesn’t send surveys in the mail.
5. QR codes on unexpected packages
Scammers need to create a sense of curiosity in order to bypass your suspicions. And one of the easiest ways they can do that is by sending you a product in the mail. n this scam, fraudsters send you a product from Amazon or another online retailer (also known as a brushing scam) that you never ordered. Inside or on the packaging, you’ll see a QR code with “instructions” on how to return it (or find out more information about your order).
If you scan the code, it takes you to a phishing website that captures your personal information such as your name, address, Amazon account information, and even your credit card number.
Another version of this QR code scam involves a “missed package” notice on your door with a QR code to reschedule “your” delivery. When you scan the QR code, you have to choose between entering personal information or paying an additional shipping fee.
Warning signs of a QR code package scam:
- You receive a package you weren’t expecting — even if it has your name and address on the shipping label.
- A package requires you to scan a QR code to create a return label. If it claims to be from Amazon or another retailer you use, go to their website to check your past orders.
- When you scan the QR code, the website URL you’re taken to is either shortened (hiding its true location), misspelled, or slightly different from what you would expect (i.e., “amazon-support.net”).
6. QR codes at sham COVID-19 testing centers
One of the most commonly reported QR code scams occurs at fraudulent COVID-19 testing centers. According to the Better Business Bureau, these mobile and temporary locations have appeared all across the country with the objective of stealing people’s personal and payment information [*].
When you arrive for your appointment or walk in, you’re told to scan a QR code to “sign in.” But the site you’re taken to asks for more information than you should need to supply for a COVID-19 test. This could include your Social Security number (SSN), photos of your insurance card (which could be used for medical identity theft), and your driver’s license.
In some cases, people never receive their test results. In other instances, they receive fake and random test results. The “Center for Covid Control” is under investigation after numerous complaints have been made.
Avoid this scam by only going to authorized testing centers or pharmacies. Here’s where you can find a list of authorized state, local, and territorial testing sites. When you arrive, ask the workers about which test you will receive and when and how you should expect your results.
Warning signs of a fraudulent COVID-19 testing site QR code scam:
- A QR code “patient sign-in” asks for sensitive information, including healthcare documents and identification.
- The testing facility doesn’t seem legitimate — it may be in a temporary location or not employ knowledgeable staff.
- They use a lookalike website or company name that is close to that of a legitimate testing site.
7. QR codes sent over social media (hacked accounts)
Scammers can send fake QR codes over any platform. In this version of the scam, they use hacked social media accounts to send you a QR code with an enticing message.
Examples might include: “Check out this photo of you I just found!” Because you think the code is from a “friend,” you’re more likely to scan it.
Social media account takeovers are common on all platforms, but they are especially rampant on Snapchat. If an account you follow sends you a strange message containing a QR code, contact the person directly (off that platform) to make sure their account hasn’t been hacked.
Warning signs of a social media QR code scam:
- Someone you haven’t spoken to in a while contacts you with a message and a QR code.
- The message uses some form of social engineering to make you want to click on it — the wording could be threatening, create curiosity, or offer a too-good-to-be-true deal.
- Any QR code in a social media direct message (DM) should be treated with caution.
8. Cryptocurrency QR code scams
Of all the types of QR code scams, cryptocurrency scams are associated with some of the largest financial losses.
Scammers trick you into thinking you’re either getting in on an investment or need to pay a fine using cryptocurrency. They’ll send you a QR code that opens a payment processor which enables you to convert your money to Bitcoin, Ethereum, and other cryptocurrencies. But once you make the transfer, the scammers either disappear or demand that you pay more.
In one example, a victim reported losing over $65,000 when a scammer contacted them and claimed their SSN had been used to run bank scams and launder money. To “protect” the money in their account, the victim was told to scan a QR code and send money to the scammer’s Bitcoin wallet.
Another common cryptocurrency QR code scam involves a fake investment opportunity. These scams often happen on social media or dating sites (crypto investment schemes are one of the more severe dangers of online dating with victims regularly losing hundreds of thousands). Again, the scammer uses a QR code to direct victims to an official-looking site that includes information on how to send them cryptocurrency.
Once you do, you’ll be shown graphs and charts that illustrate your investment growing dramatically in the first few days. The scammer will keep pushing you to invest more. But when you go to withdraw your “earnings,” both your money and the scammer disappear.
Crypto investment scams have increased significantly in recent years:
Unfortunately, because cryptocurrencies aren’t backed by federal or financial institutions, there’s almost no way to get them back once they’ve been sent.
Warning signs of a cryptocurrency QR code scam:
- The scammers guarantee dramatic returns with little to no risk. They’ll often claim to have “secret” or “insider” knowledge.
- Someone claiming to be from a financial institution or government agency insists on payment in cryptocurrency.
- The QR code sends you to a well-designed site explaining the crypto investment, but it won’t give you any specifics about what the cryptocurrency does.
9. Fake QR code scanner apps that download malware
Your phone’s camera is capable of scanning QR codes. But scammers have created fake “scanning apps” that install malware on your device when you download them.
Once downloaded, the app would request an update which downloaded a banking trojan bot known as TeaBot. This malware is designed to steal users' credentials and access their accounts.
Only use your phone’s camera app to scan QR codes. And when it comes to downloading apps, make sure they’re listed in the official iOS and Android app stores.
Warning signs of a fake QR code scanning app:
- The app asks for extensive permissions, like viewing and controlling your screen.
- The app is relatively new and cites reviews that sound fake or stolen.
- If the app asks for an update as soon as you download it, that’s a clear sign that it’s trying to install malware.
How To Protect Yourself from Fake QR Codes
Rather than avoid QR codes entirely, learn how to identify the common signs indicating that you’re dealing with a fraudulent QR code.
Here are a few golden rules for using QR codes safely:
- Look for signs of tampering: Scammers will often replace legitimate QR codes with their own fraudulent ones. Check to see if the code is on a sticker above another one, or if there are signs it has been tampered with.
- Preview the URL before following the QR code: Your phone will tell you the destination to which a QR code is trying to send you. Check the URL to see if it seems safe (or ask a member of the staff if you’re in a restaurant). If the URL is shortened and unreadable, you’ll want to be extra cautious.
- Check the destination site for signs that it’s a phishing scam: Look for signs that you’ve landed on a fraudulent website including misspelled words and typos, unprofessional design and low-resolution images, and unsecure URLs. “Secure” sites use HTTPS (not HTTP) and will display a padlock icon near their URL.
- Be extremely cautious of QR codes in public places or in the mail: A QR code in a public setting or one that arrives in the mail could have been placed there by a scammer or be easily tampered with. Avoid scanning these as much as possible.
- Never download a QR code scanning app: Only use your phone’s camera. You don’t need any other tools to use a QR code.
- Install antivirus software and malware protection: Aura’s antivirus software can protect your devices from malware and warn you of potential phishing sites.
Did You Scan a Scam QR Code? Do This Now
There’s almost no way to differentiate a fraudulent QR code from a real one until you open the link. With the variety and abundance of QR scams out there, it’s more important than ever to be extremely cautious with the information that you provide through a code.
If you’ve already entered sensitive information or downloaded something from a QR code you think may be a scam, take these steps quickly to protect yourself from identity theft and malware:
If you entered sensitive information into a fake QR code:
- Change your passwords and secure your online accounts. Update your login information on any potentially compromised site. Use secure passwords that are at least eight characters long and include upper and lowercase letters, symbols, and numbers. Also consider a password manager. This is a tool that will securely store your passwords and alert you if a site has been compromised. For added security, enable two-factor authentication (2FA) on your accounts using an authenticator app.
- Set up a fraud alert and credit freeze with the major credit bureaus (Equifax, Experian, and TransUnion). If you accidentally entered your financial information, you’ll want to alert the credit bureaus. Fraud alerts and credit freezes make it harder for scammers to commit loan fraud or take out credit cards in your name. For more information, follow the fraud victim’s checklist.
- Notify your bank and credit card company of potential fraud. Call their fraud departments and let them know what happened. They’ll help you close your bank accounts and set up new ones.
- Look for the warning signs of identity theft. Criminals can use your information at any time. Be on the lookout for warning signs such as unexpected charges on your credit card, failed login attempt emails, or missing mail. If you think your identity has been stolen, follow this guide on how to recover from identity theft.
- Consider signing up for identity theft protection. Aura’s all-in-one identity theft protection monitors your online accounts, financial information, and other personally identifiable information (PII) for signs of fraud and identity theft. You’ll receive alerts in near real-time to any suspicious activity so that you can stop scammers before they cause too much damage.
If you scanned a QR code that downloaded malware onto your device:
- Disconnect from your Wi-Fi or cellular network. Turn off any network connection as soon as you realize that you may have downloaded malware. Without a connection, there’s less of a chance the malware can send your sensitive information to a hacker.
- Backup your important files. If your device gets hacked, scammers can steal sensitive documents or photos, or even encrypt your drive and force you to pay a ransom. Backup your files on an external drive to be extra safe.
- Change your passwords immediately. Malware can give scammers access to your online accounts — social media, banking, crypto, shopping, and more. Update your passwords, enable 2FA, and start using a password manager.
- Scan your device for malware. Aura’s antivirus software has anti-malware capabilities and can alert you to any cybersecurity threats.
The Bottom Line: Avoid Fake QR Code Scams
QR codes can be incredibly useful. But scammers are constantly looking for vulnerabilities in new technologies to steal your identity and commit fraud.
Stay safe while scanning QR codes by following these best practices and knowing the common QR code scams. And for added security, sign up for Aura’s all-in-one identity theft protection and digital security solution.