If you’re out and about, chances are you regularly see QR codes. These codes, which are the square black and white boxes you scan on your phone to access a link, stand for “quick response” codes, and they’re used everywhere today. Whether it’s used to access a restaurant menu, get more information about a product in an advertisement or even as an alternative payment or login method, QR codes have risen as a convenient solution.
Unfortunately, this convenience has also led to them becoming an appealing method for scammers to commit fraud and steal people’s information, identity and assets. Learn how to spot and avoid QR code scams.
A QR code scam is essentially a phishing scam that utilizes a QR code to trick targets into supplying confidential information or downloading malicious software. What makes QR code scams uniquely insidious is that a QR code is both easy to create and easy to disguise as something harmless or legitimate.
To understand how QR code scams work, it’s important to understand how QR codes work. These codes are like a barcode that can be scanned by your phone to instantly go to a particular website, open a specific app, etc. The code itself just looks like a random pattern to our eyes, but the pattern tells our phones what link to visit.
Because of this, it’s very easy to create a malicious QR code that looks legitimate. When these fraudulent QR codes are scanned, they can automatically download malicious software or lead you to a fraudulent website. These websites are often disguised as legitimate and steal your confidential information.
While QR codes are frequently used by scammers, they also have many legitimate use cases. For example, many restaurants use QR codes as an easy way to access their menu digitally or pay the bill. Likewise, parking meters may have a QR code payment option instead of making people fumble for quarters.
Because the QR code itself looks like a meaningless pattern, scammers will place their malicious QR code over the real one. Since people are scanning the QR code for a legitimate reason associated with a legitimate business, they often don’t realize the possibility it was replaced by a scammer.
We’ve all had it happen to us—receiving an out-of-the-blue text or email with an urgent message about suspicious activity, legal trouble, our car’s extended warranty or countless other classic scams. Now, QR codes are often being included in these messages, enticing you to scan and deal with the issue immediately.
This type of scam entices people into scanning a QR code to earn a prize, reward or an exclusive offer. It often looks harmless at the time, but the website on the other side of the QR code is a malicious site designed to steal your information.
Imagine you see a flyer posted downtown that says, “Scan and enter to win a $100 gift card!” Because scanning the QR code is so convenient and easy, the thought of a low-effort way to win a prize sounds appealing. There’s a very good chance there is no prize and any information you give to enter will be used to steal your identity.
Some scammers will go as far as sending physical mail or a package to your address with a QR code inside. For example, you may receive a fake bill in the mail with a malicious QR code pretending to take you to the payment portal. Or you may receive a package you never ordered with a cheap product and malicious QR code inside. The QR code exploits people’s confusion and will claim to offer more information about the order or a way to request a refund or return.
A big reason QR codes are so popular among scammers is that you can’t tell a QR code is malicious by looking at it. To the naked eye, all QR codes just look like a random square pattern. That said, there are red flags that often indicate a QR code is malicious.
Scammers love sending out text messages, emails and even physical mail and packages with malicious QR codes. If you don’t know why you’re receiving something to begin with, that’s a huge red flag. In the event you aren’t sure if something is legitimate or not, do not scan the QR code and instead go directly to the relevant source, such as a website or call the business directly. For example, if your financial institution sends a random QR code saying your account is compromised and needs immediate action, contact them directly.
While not a foolproof way of spotting a scam, many QR code scams have a “DIY” look to them. If you encounter a QR code that looks like it was taped on top of something, that is on a flyer with sloppy design or with grammatical errors or typos, you may be encountering a scam.
Pressuring people to act quickly is a classic manipulation technique, and QR code scams are no exception. If you are ever told to scan a QR code to avoid consequences or that you’ll miss out on an exclusive offer if you don’t scan immediately, you should be very suspicious. Scammers want people to scan the QR code before they have time to think it through.
Many phones now show a link preview from a QR code before taking you to the website. Look carefully at this link to make sure it matches what you’d expect. If you’re trying to donate to a charity, for example, you should expect the QR code to go to that charity’s official website. If you aren’t sure what the official website is, do not use the QR code and go to the website manually.
Note: This is not intended as a comprehensive list of steps to take. Additional action may be needed depending on the situation.
If you encounter a QR code scam, you can report the fraud to the Federal Trade Commission at https://reportfraud.ftc.gov/, regardless of if you scanned the code or not. If you do scan a QR code you believe is malicious, do not enter any information into the website and close it.
In the event you did enter personal information, such as your banking login information or credit card number, contact the relevant organization directly. While financial institutions like Alliant are always watching for fraudulent activity, this will allow for extra-close monitoring of your account. They can also work with you to freeze accounts and potentially reverse any fraudulent transactions.
You are also entitled to one free credit report from each of the three major credit-reporting bureaus (Equifax, Experian and TransUnion) annually through AnnualCreditReport.com, though you can purchase your credit report directly through the credit bureaus as well.
Additionally, change your password to the affected accounts. If you don’t have two-factor authentication (2FA) set up already, this is a great time to do so.
While QR code scams are unfortunately common, knowing the warning signs can help you avoid falling victim to them. Being cautious around QR codes, especially anything dealing with financial accounts, will help keep your information and assets safe from scammers.
with an Alliant high-rate saving account
with award-winning saving rates and loans
Get even more personal finance info, tips and tricks delivered right to your inbox each month.
Thanks for subscribing to Alliant's Money Mentor newsletter! You will now receive personal finance tips in your email inbox each month.
You are leaving Alliant’s website to enter a website hosted by an organization separate from Alliant Credit Union. The products and services on this website are being offered through LPL Financial or its affiliates, which are separate entities from, and not affiliates of, Alliant Credit Union.The privacy and security policies of the site may differ from those of Alliant Credit Union.
You are leaving an Alliant Credit Union website and are about to enter a website operated by a third-party, independent from Alliant Credit Union. Alliant Credit Union does not manage the operation or content of the website you are about to enter. Alliant Credit Union is not responsible for the content and does not provide any products or services at this third-party website. The privacy and security policies of the site may differ from those of Alliant Credit Union.
