The Download: Feature Articles

QR Codes: Don't Scan a Scam

By Keith Allison | April 11, 2022

They've become a ubiquitous part of life—but be careful when you use one

QR codes—those squares full of smaller squares that you can scan with your phone to open a web page—are having a moment. They've been around for a while, but they never quite caught on for a number of reasons, chief among them that you used to have to find and download an app to use them. When the pandemic forced people to rethink things like handing out physical menus, scanning a QR code to open a website or PDF seemed like a good solution. And by then, QR code scanning was a built-in camera or toolbar function on most phones. Now, using your phone to scan a QR code is just something we do without thinking.

Or most of us have been doing it without thinking about it. Some people have been thinking about it quite a lot. Specifically, they thought about how to use the newfound ubiquity of QR codes in public settings to scam people. What they came up with is simple but effective.

How QR Code Scams Work

You can't tell what file or web page a QR code will open until you scan it, and even then the link displayed may not give you much of a clue. The link may be shortened, point to an unfamiliar location, or point to a site that automatically redirects you elsewhere. If that elsewhere is a brunch menu or the page for an event, no worries. But if it’s a malicious site—well, many worries.

Such sites go to work as soon as they start loading. Often, you don't need to do anything other than follow the first link to open yourself up to cyberattack. Things that can wind up on your laptop or phone include keyloggers (hidden software that records everything you type, like passwords and personal email) and botnets (which steal your computer's connection for the hacker’s purposes, such as using it in large-scale hacking efforts or Bitcoin mining).

This doesn't mean you should never scan a QR code. These days, it's hard to avoid them. What it does mean, though, is that you should think twice about what you scan.

How QR Code Scams Are Distributed

With QR code scams, it's not so much about the type (it's all basically the same approach) as the where and when. Some of the distribution methods for fraudulent QR codes include:

Email: If you get an unsolicited email asking you to scan a QR code—don't. Ever. It's one of the easiest methods of distributing scam codes. The more "urgent" the email claims to be, the more suspicious you should be.
Posters, restaurant tables, and other public spaces: When a QR code is presented in a public or outdoor setting, it can be as simple as putting a sticker with a different QR code over the legitimate code. Take a look at it, or run your fingers over it and see if you can detect tampering.
A sticker or flyer: It's not unusual for performers, artists, and event organizers to make stickers or print flyers with a QR code on them. Be very careful about scanning that code, especially if it's just a sticker on a sign. Interested in what’s being promoted? Take a regular photo and then look it up online without scanning the QR code.

What Can You Do?

A few simple habits will help you avoid scanning a malicious QR code.

Don't download a QR code scanning app. The days of needing a third-party app are over. All major phone manufacturers have built QR code scanning into their devices, either as part of the device's camera or located as an option in a toolbar.
Don't install an app you get by scanning a QR code. If you're interested in an app, go to the official app store for Google or Apple and download it from there. Don't trust the QR code, even if it says it's taking you to the app store. And remember, you should always be careful about the apps you install, even if you get them from an official app store.
Check the authenticity, especially in an outdoor location. It's easy to slap a sticker over a legitimate QR code. If something seems off, like a visible sticker, ask your server or someone else who can verify its authenticity.
If someone tells you it's urgent, don't do it. Scam QR codes rely on the same strategies as other types of phishing. One of those is creating a sense of unease that if you don't do something right away there will be consequences. Don't fall for it, no matter how successfully a message triggers your anxiety. If you think it might be legitimate, skip the scan and take the time to type in the URL or call a verified support number.