QR code scams are everywhere. Here’s how to avoid getting scammed.
QR codes are popping up everywhere, from parking meters to TV ads to the night sky. Unfortunately, as handy as these quick response codes are, criminals are exploiting them for malicious purposes.
Smartphones, of course, easily scan the machine-readable optical labels and then interpret and execute the data embedded within. Therein lies the potential trouble. The underlying code can direct users either to safe, legitimate actions—such as viewing a restaurant’s menu, accessing a parking payment portal or viewing detailed information about a product—or infect or otherwise compromise the user’s device, files and connected resources.
Fortunately, you don’t need to stop using QR codes altogether. There are several ways you can help protect yourself from unknowingly falling victim to a QR code scam. Here are tips we urge you to consider before clicking on the next quick response code you see.
The first recommendation is don’t just scan and follow random QR codes. That’s a bad idea.
Yet if, as some 117 million estimated viewers did, you watched the 2022 Super Bowl, you may have noticed the 30-second commercial consisting of nothing but a mysterious QR code bouncing around the screen. In just one minute, that Coinbase advertisement lured over 20 million people to scan the QR code not knowing whose it was or what would happen. The corresponding traffic proved so intense the cryptocurrency exchange platform could not manage the load and subsequently crashed.
This particular incident confirms just how readily people click on QR codes without thinking twice. Unfortunately, bad actors know this and are actively taking advantage.
In fact, QR code scams work much like phishing attacks. Doctored items pose as legitimate links in the hopes people will click on them. But instead of directing a user to a legitimate site or file, phishing attacks either install infectious code that then compromises, steals and encrypts data, holding the information hostage until a handsome ransom payment is made, or direct users’ devices to malicious sites that steal sensitive credentials, bank information or credit card numbers.
Last December, for example, police in San Antonio, Texas, warned citizens to be cautious when using public parking spots after fraudulent QR codes offering quick and easy payments were discovered on parking meters throughout town. When people scanned the QR code, the subsequent code directed them to an imposter website where submitted payments were sent to a fraudulent vendor.
Such events are not isolated. The same problem occurred the next month in Boston, Massachusetts, and Austin, Texas.
Texas, it seems, has a thing for QR codes.
During the popular SXSW festival held annually in Austin, some 400 drones filled the sky in March to form a QR code. Some 300 feet tall by 600 feet wide, the purple matrix directed those scanning the image to an advertisement for a new streaming Halo TV series. Not everyone was thrilled, with many Reddit and news article comments deploring the stunt and some of the resulting fears—not everyone witnessing the event understood the flying objects and corresponding noise were just an advertisement.
Many of the subsequent comments provided sound advice, such as never randomly scan QR codes. That is great counsel.
Instead, preview a QR code’s URL. Many smartphone cameras, including iPhones running the latest version of iOS, provide a preview of the code’s URL when you first scan the matrix image. If you do not recognize the site, or if the link looks strange, do not continue; do not click the subsequent link.
Avoid, too, downloading an application from a QR code. Use your phone’s app store—Apple’s App Store on an iPhone or the Google Play Store on an Android model, instead. By selecting the program from the official app store, you can have confidence the app is, indeed, genuine.
Do not click on QR codes you receive via text from unknown parties or via email from people or companies you do not know. This is especially true when you are not even expecting the QR code.
Similarly, do not trust QR codes when connecting to an unfamiliar wireless network. Ensure you trust any corresponding signage—at large events it is not much trouble for malicious actors to print and place various fraudulent signs featuring imposter QR codes throughout a facility—when connecting to a WiFi network.
Avoid, too, using applications dedicated specifically to scanning and executing QR codes. Most smartphones’ internal cameras now readily provide that function. So there is no need to risk a third-party application tracking your QR code activity.