QR Code Scams Security Tips

What is a QR Code?

QR codes (short for “quick response”) are a modern, digital version of more traditional barcodes. They can contain more information and be read more quickly and are commonly used as a touchless option for paying or accessing other digital content (i.e., videos, menus, etc.). Generally, a mobile phone or device is used to scan these codes causing a link to pop up that you are supposed to click.

What is the danger?

Quishing, also known as QR code phishing, is a criminal tactic that tricks people into scanning malicious QR codes. If an attacker can convince you to scan a bad QR code, they can potentially:

  • Take you to a fake website that will prompt you to unknowingly enter personal information. 
  • Infect your device with malware, gaining complete access. 
  • Send an email from your account. Scammers can program the codes to open payment sites, follow social media accounts and send pre-written emails. 

Since the human eye can’t “read” a QR code, people can’t easily differentiate between a genuine QR code and a malicious one. And since they are easy to generate and distribute, bad actors can easily conduct a widespread quishing campaign rather than a phishing attack.

How does it work?

In public places, criminals can cover an official code with a sticker or printout showing a fraudulent code. QR code attacks may also incorporate steganography, a technique of hiding encrypted data in images with malicious content in such a way as to be virtually undetectable. Another area of particular concern is around cryptocurrency. Crypto transactions are often made through QR codes associated with crypto accounts, making this an appealing target for fraudsters. Here are some commonly observed places for criminals to leverage QR code scams:

  • Parking meters 
  • Phishing emails 
  • Restaurant menus
  • Mailings
  • Unexpected package deliveries
  • Social media
  • Crypto websites
  • Fuel pumps

QR Code Safety Tips

To stay safe when using QR codes, you can:

  • Verify the source: Only scan QR codes from trusted sources, like official websites or apps. Avoid codes from unfamiliar sources.
  • Check the URL: Before scanning, look for unusual domain names or shortened URLs when the link pops up.
  • Check for tampering: Look for signs of tampering of codes in public places, like altered graphics, design flaws or stickers placed atop original codes.
  • Be suspicious: If, after scanning a QR code, the site asks for a password or login information, treat it as a red flag.
  • Be wary of promotions: Be cautious of offers that seem too good to be true.
  • Use a secure connection: Look for a secure connection (HTTPS) or a padlock.
  • Use a trusted scanner: Use a trusted QR code scanner app from a reputable app store. Don’t download an app from an obscure vendor.
  • Confirm validity of request: Before taking any action, like making a payment or entering personal information, confirm a request to scan with the company. If you receive a QR code from someone you know, reach out to them through a known number or email to verify they sent it.
  • Protect your device: Use antivirus and antimalware software.
  • Report. If you identify a suspicious QR code or fall victim to a QR code scam, notify your bank and report it to law enforcement and the Federal Trade Commission (FTC).

To file a report with the FTC, visit reportfraud.ftc.gov or call the FTC’s Consumer Response Center at 1-877-382-4357.

If you are the victim of any type of online fraud, report the incident to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

Scammed? Take immediate action!

If you scan a fake QR code, your bank account, email and identity could all be at risk. Consult our Reporting Fraud page on pnc.com for actions to take upon realizing you have been defrauded.