They've become a ubiquitous part of life—but be careful when you use one

On this page: How QR Code Scams Work | How QR Code Scams Are Distributed | What Can You Do? | Additional Info

QR codes—those squares full of smaller squares that you can scan with your phone to open a web page—are having a moment. They've been around for a while, but they never quite caught on for a number of reasons, chief among them that you used to have to find and download an app to use them. When the pandemic forced people to rethink things like handing out physical menus, scanning a QR code to open a website or PDF seemed like a good solution. And by then, QR code scanning was a built-in camera or toolbar function on most phones. Now, using your phone to scan a QR code is just something we do without thinking.

Or most of us have been doing it without thinking about it. Some people have been thinking about it quite a lot. Specifically, they thought about how to use the newfound ubiquity of QR codes in public settings to scam people. What they came up with is simple but effective.

How QR Code Scams Work

You can't tell what file or web page a QR code will open until you scan it, and even then the link displayed may not give you much of a clue. The link may be shortened, point to an unfamiliar location, or point to a site that automatically redirects you elsewhere. If that elsewhere is a brunch menu or the page for an event, no worries. But if it’s a malicious site—well, many worries.

Such sites go to work as soon as they start loading. Often, you don't need to do anything other than follow the first link to open yourself up to cyberattack. Things that can wind up on your laptop or phone include keyloggers (hidden software that records everything you type, like passwords and personal email) and botnets (which steal your computer's connection for the hacker’s purposes, such as using it in large-scale hacking efforts or Bitcoin mining).

This doesn't mean you should never scan a QR code. These days, it's hard to avoid them. What it does mean, though, is that you should think twice about what you scan.

How QR Code Scams Are Distributed

With QR code scams, it's not so much about the type (it's all basically the same approach) as the where and when. Some of the distribution methods for fraudulent QR codes include:

  • Email: If you get an unsolicited email asking you to scan a QR code—don't. Ever. It's one of the easiest methods of distributing scam codes. The more "urgent" the email claims to be, the more suspicious you should be.
  • Posters, restaurant tables, and other public spaces: When a QR code is presented in a public or outdoor setting, it can be as simple as putting a sticker with a different QR code over the legitimate code. Take a look at it, or run your fingers over it and see if you can detect tampering.
  • A sticker or flyer: It's not unusual for performers, artists, and event organizers to make stickers or print flyers with a QR code on them. Be very careful about scanning that code, especially if it's just a sticker on a sign. Interested in what’s being promoted? Take a regular photo and then look it up online without scanning the QR code.
  •  Multi-factor authentication (MFA) messages: In a recent scam, cybercriminals sent phishing emails disguised as multi-factor authentication (MFA) messages. The email instructs you to scan the QR code to enable MFA on your device. If you scan the QR code, you’ll be taken to a spoofed login page. If you enter your login credentials, cybercriminals could gain access to more of your sensitive information.

What can you do?

A few simple habits will help you avoid scanning a malicious QR code.