Cyber Tips

Seven Common QR Code Scams To Watch Out For

From pubs to parking lots, QR codes are everywhere for the scanning. But just because everybody’s doing it, doesn’t make it safe. Learn about common QR code scams and ways to protect yourself, one barcode at a time.

QR Codes

Quick Response (QR) codes have become an everyday tool, making it easier for businesses to engage with consumers. And consumers have embraced the convenience. From coupons and concert tickets to interactive business cards, the technology is projected to hit 94.1 million users by the end of 2023 and exceed 100 million by the close of 2025. That’s a lot of personal and financial data zipping around, and cyber criminals are here for it. So, are QR codes safe? Not always. We’ll look at how QR code scams work, what to look out for, and how you can protect yourself in a scan-happy world. 

How QR Codes Work

A QR code, or Quick Response code, is a 2-D barcode that serves as a storage unit for various information, such as files, text, images, and web links. QR codes are “read” by smartphones and can be used to open a website, make a call, send a message or even send an email.

Anyone can create a QR code using an online generator or even a browser. Most of us aren’t fluent in “barcode”, so we have no way of knowing if the code is legitimate. Scammers have a few tricks up their sleeves, from leading you to fake websites to planting malware on your device. With QR codes popping up everywhere, it’s important to spot a scam before you scan.  

7 Common QR Code Scams 

QR code phishing scams

Scammers send phishing or “quishing” emails containing QR codes with special offers, time-sensitive notifications or important documents. Posing as a credible company or institution, scammers will use an urgent call to action to get you to scan the code in the email. If you fall for it, you’ll be redirected to a legitimate looking website to update personal information or payment details. The cybercriminal now has access to your identity and financial information.  

QR Codes for Payments

In our post-pandemic world, touchless payments are now the norm. We use QR codes in restaurants to look at menus, order, and even pay the bill. In car parks around the world, drivers use QR codes to pay for parking instead of digging for change. Unfortunately, criminals can easily tamper with public QR codes to steal payments and credit card information. In 2023, a woman in the UK was defrauded of nearly $17,000 USD because of a QR parking scam. And in American restaurants, QR code scams are on the rise.  

Mail & Packages with QR codes

Ignore junk mail with QR codes that promise giveaways or instant coupons. If you’re not sure, visit the company’s website to verify the offer. Be especially wary of QR codes and debt consolidation services. If a suspicious package arrives in the mail with a QR code, don’t scan it. With this hustle, scammers send you something you didn’t order, often from Amazon or other trusted online retailers. Inside the package, you’ll spot a QR code with “instructions” to return it or to check your order details. Once you scan the code, you’re off to a fake website designed to steal your personal and financial information.  

QR Codes in Healthcare

QR codes can help make it easier for patients to view test results, make appointments and access wellness information. However, “scan scams” in the healthcare sector increased by more than seven times in 2022, leaving sensitive medical information vulnerable to cyber criminals. Patients, trusting in the medical system, will often share highly sensitive information like medical history and social security numbers without question.  

Social Media & QR Codes

Scammers may hijack a friend’s or family member’s social media account to send QR codes with urgent messages like, “Help me win this contest!” or “Is this you?”  If the message seems off or comes from someone you haven’t spoken to in ages, be cautious. Hacked social media accounts of well-known brands or institutions may also post QR codes that lead to password-stealing sites.  

Cryptocurrency & QR Codes

Watch out for QR code scams in crypto transactions. Scammers might hit you up with a fake “giveaway,” promising double the crypto if you send them funds first. And unfortunately, because the cryptoworld is largely unregulated by government and financial institutions, there’s not much you can do if you get robbed.  

Donations & Charity QR Codes

Scammers may pose as charities or create fake ones to trick you into donating. They often use QR codes in their schemes to raise funds. If you encounter unsolicited QR codes or receive donation requests from unfamiliar sources, exercise caution.  

How to Avoid QR Code Scams

Preview QR code URLs BEFORE scanning:  Here’s a step-by-step guide on how to use your phone to preview a URL before scanning a QR code: 

  • Open Camera App: Launch the camera app on your phone. Most smartphones come with a built-in camera app. 
  • Position QR Code: Aim your phone’s camera at the QR code you want to scan. Make sure the QR code is within the frame of the camera. 
  • Focus and Scan: Allow the camera to focus, and it will automatically scan the QR code. You might hear a beep or see a notification indicating a successful scan. 
  • Preview URL: Before visiting the website or link, your phone will likely display a preview of the URL or provide additional information about where the QR code is directing you. Take a moment to review this information. 
  • Verify Legitimacy: Check for any misspellings or variations in the URL. Ensure it looks legitimate and matches your expectations. If something seems off, reconsider scanning the code. 
  • Decide to Open: If the previewed URL looks safe and trustworthy, you can choose to open it by tapping on the relevant prompt or button on your phone. 

Check for physical tampering: In public places, ensure there’s no extra sticker above the QR code—scammers love that trick. 

Look for signs of quishing or phishing in emails: Generic domains, spelling errors, urgent language and emails related to unfamiliar deliveries or purchases are all cause for concern. Reach out to the company or institution directly for confirmation. Be extra cautious with any email with a QR code—even ones from friends. You can’t know for sure they haven’t been hacked. 

Look for signs of quishing or phishing on the destination site: Typos and low-quality images are red flags. Look for a secure URL with a lock symbol or “https://.” 

Don’t scan QR codes from strangers: Whether online or on the street, be cautious of too-good-to-be-true offers from people or companies you don’t know.    

Settle restaurant bills in person: Diners should stick to designated restaurant websites or apps when ordering and ask to pay the bill in person, whenever possible.   

Verify social media chats: If a friend DMs you a QR code, contact them outside the platform to confirm. 

Don’t fall for get-rich-quick crypto schemes: Look out for phony “investment” pitches that demand urgent investment of cryptocurrency.  

Don’t pay bills or fees with cryptocurrency: If a QR code comes with an urgent demand for payment in cryptocurrency, ignore it. No legitimate business operates this way, and your bill collectors don’t want Bitcoin.  

Donate to registered charities: Stick to well-known and verified charities, and only use official channels to make donations.  

Guard your health data carefully: If your doctor or hospital uses QR codes, check the URL or website app before opening it on your device. Only scan codes from verified sources like your healthcare provider’s website or printed materials. And if you’re asked to share sensitive information via QR code, don’t. Instead, call or visit your healthcare professional in person. 

Protect your devices: Install trusted antivirus software and malware protection. Use multi-factor identification for all logins and let a password manager do the heavy lifting 

Skip QR code scanner apps: While most scanner apps are safe, sometimes they aren’t. Your phone’s camera is good enough – no need for extra tools. 

Get cyber insurance: A good cyber insurance policy focuses on prediction and prevention. The BOXX approach to cyber insurance uses industry-leading threat intelligence and technology to help protect you from the emerging cyber threats. 

How to Recover from a QR Code Scam

If you’ve been scammed, it’s important to act quickly to regain control. Do the following as soon as you discover the cyber-attack:  

  • Change your passwords, lock down your accounts and enable multi-factor identification for all logins 
  • Run a malware check with trusted antivirus software 
  • If your financial information has been compromised, inform your bank and credit company immediately.  
  • Contact credit bureaus about potential fraud with alerts and freezes 
  • Keep an eye out for signs of identity theft 

Get Help

If you’re insured through BOXX cyber insurance, you can contact our Hackbusters™ incident response team 24/7— without filing a claim. In the event of a breach, the BOXX Hackbusters™ incident response is your safety net to recover and restore your family’s personal, financial and private information. 

Related posts

Cyber Tips How to Protect Yourself from Tax Season Scams

How to Protect Yourself from Tax Season Scams

Tax season can be a stressful time for many Canadians and while scams are prevalent year-round, there is often a greater proliferation during tax time. Hackers are waiting for you to slip up so they can steal your personal information, money and identity.

05/04/2022
Cyber Tips Gift card scams are on the rise among consumers

Gift card scams are on the rise among consumers

Gift card scams are on the rise and cost North Americans at least $148 million in the first 9 months of 2021. Here’s our advice on how you can prevent and resolve these types of scams as they happen — and how to keep your finances safe.

07/12/2022

Sign up for the BOXX Insurance Newsletter

Get the latest updates about Cyber Insurance and Protection with our newsletter.