In this article, we’ll discuss what a QR code is and how QR code fraud works. We’ll also go over the different types of QR code scams, how you can prevent them, and what to do if you’re a victim of QR code fraud.
What is a QR Code?
You’ve surely seen them by now: the complex-looking combinations of black and white squares that make up so-called Quick Response (QR) codes. These codes are often used to link to data and information on the internet. The codes can only be read by machines, most typically a smartphone with a QR code reader. As their name suggests, they were designed to be deciphered and read quickly.
How Does QR Code Fraud Work? – Different Types of QR Scams
The goal of QR code fraud is pretty much always the same: getting you to navigate to a page through which cybercriminals can steal your data, money, or both. However, there are many different ways for criminals to do this.
You’ve probably heard of phishing. In a phishing attack, a cybercriminal will pose as someone you know or trust so they can obtain your data. Usually, phishing attacks happen via emails, phone calls, or social media. Cybercriminals have now turned to QR codes as well.
Criminals might send you an email, flyer, letter, or message on social media containing a QR code. Scanning it will lead you to a page that prompts you to fill in your personal data or login credentials. The requested data might include sensitive information, like your online banking details. If you fill out this information, you’ll send it straight to the attacker, who can do with it whatever they wish.
Often “phishing QR codes” lead to fake websites that appear to belong to large and trustworthy organizations. Just like regular phishers, QR code phishers often pose as employees of big and important corporations, such as banks and other financial institutions.
An interesting example can be seen in the screenshot below. In this Dutch message, cybercriminals pretend to represent one of the largest Dutch banks (Rabobank) and claim the victim’s debit card is about to expire. The victim is asked to scan the QR code to receive a new card. Of course, this is just an attempt to obtain sensitive information and money from victims falling for this scam.
Stranger in need: a face-to-face QR scam
The essence of face-to-face scams is that someone will approach you in real life with a crafty story as to why you need to scan a QR code. Criminals may approach victims and ask for help with paying for a parking space. They claim that, by scanning a code, the victim can transfer some money to their bank account. The criminals generally promise to give the money back in cash.
Little do the victims know that, by scanning this QR code, they actually give the criminals access to their online banking information. Many victims of this scam have lost hundreds of dollars.
This “stranger in need” QR scam was reported frequently about a year ago in the Netherlands. There have been other examples as well. Strangers might ask victims for money for the metro, for instance. If a scammer is smart enough, they could probably find a hundred different excuses as to why they need you to scan a certain QR code.
The online marketplace method
QR-scammers can also approach you on online marketplaces. They might claim they want to buy the goods you’re offering and ask you to scan a QR code so they can make sure they’re transferring the money to the correct bank account. At least, that’s what they tell you. What you’re actually doing, is giv‐ ing cybercriminals access to your bank account.
A slight variation of this scam was reported a lot in India earlier this year. The state bank of India (SBI) warned its customers about the following scam: criminals approach sellers of second-hand goods on‐line, saying they want to buy a certain product. They even transfer a small amount of money to “check it’s the right bank account” and gain the victim’s trust. After, they ask the victim to scan a QR code to receive the remainder of the money. Instead, however, scanning this code will make the victim lose money.
As the SBI puts it: scanning a QR code only works to make payments, not to receive them. In other words, if someone claims you need to scan a QR code in order for them to send you money, don’t do it! Money will actually be debited from your account instead.
QR code viruses
A very common question is: Can I get a virus from scanning a QR code? Unfortunately, you can. Cyber‐ criminals can easily embed links to web pages containing viruses and other malware into QR codes. This malware can, in turn, compromise your sensitive data.
In many cases, just scanning the QR code is enough for the malware to do its damage. This is possible because some websites automatically start so-called drive-by downloads of malicious software as soon as you visit them. The last thing you want is to have a website you visit through a QR code down‐ load a keylogger on your device. This kind of malware will register everything you type, including sensitive information.
A recent QR code malware scam specifically targets Android phones. According to SecureList by Kaspersky, scanning the QR code leads to a page where victims can download a dangerous Trojan Horse that’s camouflaged as a normal file for their Android device. This Trojan Horse, once installed, sends text messages to a phone number that charges $6 per message received. Presumably, the scammers will end up with this money in their pocket.
Another type of QR fraud involves tampering with QR codes or placing fraudulent codes at locations where a lot of online payments are made, such as gas stations that allow for payment through a QR code. Criminals might even cover up legitimate QR codes to fool more victims into using their codes instead.
The difficulty of this kind of QR code scam is that these codes appear in places where you expect to find legitimate QR codes. Criminals use the current systems in place to fill their own pockets. This is why it’s important to remain critical of every QR code you encounter, whether you expected to see one or not.
How to Protect Yourself from QR Code Scams
QR scams are getting increasingly deceptive, which is why it’s important to recognize and prevent them. The basis of preventing QR scams is to never scan a QR code you don’t trust. Aside from that, more specific preventive measures depend on the scam you’re (potentially) facing:
If you receive a suspicious message with a QR code that has, supposedly, been sent by a large institution, such as a bank, always contact the company or institution directly to find out whether the message actually came from them.
Remember that QR codes are generally used for paying money, not for receiving it. If someone asks you to scan a code to get paid, this is most likely a scam. You’ll be debited the amount instead of receiving it. Or worse: you could be giving criminals access to your bank account.
Install some good antivirus software on your device. This way, if you do scan a malicious QR code, at least you’re better protected against any potential malware.
Don’t be afraid to say “no” to strangers in need who ask you to scan a QR code. If you find it difficult to turn them down, you can always say you’re in a hurry.
Ideally, avoid using QR codes to transfer Bitcoin and other cryptos. You can use a QR code to transfer crypto from your broker to your own wallet, of course. Even then, however, using the regular address instead allows you to double- check before you press “send.”
Regularly check a scam alert website or app to keep up-to-date with new (QR code) scams. You can even help others stay safe by reporting any (potential) scams you encounter. A great platform we recommend is the Better Business Bureau’s scam alert, though that is mostly aimed at North America.