QR code scams. How to spot and stop them (guide)

A QR code scam is a repurposed ‘Quick Response’ code that usually contains a website address (URL). But it can contain up to 4000 characters and can perform some operations on your smartphone.

For example, a malicious QR code could deep link you to a website with a .exe (Windows), Mach-O (macOS), or Android (APK or JAR) executable file to install malware or apps.

It can also add an address card to your contacts file, even compose and send an email from your account. Worse, it can send the QR code scam to everyone in your contacts list with your recommendation to check it out.

Rule #1 Only scan a QR code if you are 100% sure it is legitimate.

How to spot legitimate or illegitimate QR codes?

The most obvious sign of a QR code scam is when a QR code sticker has been placed over the legitimate one using an adhesive label. This mainly applies to self-service restaurants or cafes where you must order via smartphone at the table. But equally, they have been found in display advertising, street pole advertising, parking meters, free public Wi-Fi, and anywhere you expect to be taken to a website for further information.

The least obvious is where a QR Code is substituted for a real one online. You might be on your local pizza store website, but hackers have replaced the QR code with one that points to a ‘scraped’ pizza store site. You order and enter delivery and payment details and wonder where your pizza is when it is not there hot and fresh 20 minutes. Lots of <$100 credit card sales are the result.

Another common QR code scam is on unsolicited snail mail or email. It may offer you a chance to win by scanning the code. Online surveys using a QR Code to access a survey site are also common.

Rule #2 Scammers go to great lengths to look legitimate. Check that URL it takes you to with the company’s actual URL.

Social media is awash with QR code scams

There is a considerable likelihood that a QR code on a social media influencer’s page is more than it seems.  At the very least, it gathers personal data to sell. At the very worst, it plants tracking devices on your browser and monetises your browser history.

Rule #3 Never trust social media QR codes

What to do if you suspect a QR code scam

  • Immediately change your passwords for any online account used for payment.
  • Advise the bank and try to stop or reverse the payment.
  • Report the scam to the original retailer, café etc.

Rule #4 The faster you act, the less the damage.

  • Be alert for later signs of ID Theft. This includes strange unsolicited emails, bills, failed login attempts for email (likely password theft and change), etc.
  • Change all financial passwords and make sure you have multi-factor authentication turned on.
  • Consider an ID Theft service read – Norton Identity Adviser Plus – protect your identity from theft.
  • If you have malware, use the free Malwarebytes Android scanner to check and clear. It is an almost essential tool that does so much more, so consider the more fully featured paid version.
  • Read Kaspersky’s guide that explains QR codes in full.

CyberShack’s view – QR codes are wide open to abuse

I now refuse to use QR codes for ordering in a restaurant. Why? I don’t trust them, and I want to physically swipe/tap my credit card to make a payment. Restaurants know this issue, and most will take an order and payment at the counter.

A friend has been scammed by a QR code at the petrol bowser. The first he knew was when he checked his credit card statement, which had lots of <$100 transactions. To add insult, he received a summons including substantial legal costs to pay for the petrol.

A non-tech-savvy senior friend was scammed using a QR code to claim a so-called prize from a well-known retailer that you have a 50/50 chance of shopping at.

Rule #5. Cybercriminals are smart and out to get you – caveat emptor.