QR code scams

What does a QR code scam look like?

Avoid becoming victim to a QR code scam

QR codes are everywhere, so they cannot be harmful, right? Wrong.

QR code scams, also known as quishing (QR code phishing), are on the rise. QR codes are a type of barcode that store information in pixels in a square-shaped grid. You may have used them when ordering from a menu at a restaurant, to get into an event, at a car park, or to post a package. QR codes can be read easily and quickly by your mobile device which makes them a great way to share information.

But as the use of QR codes increases, fraudsters are taking advantage by creating QR codes that lead to fake websites to steal your information, or links containing malicious software that will download to your device. This allows a fraudster access to your personal and financial details, maybe without you even realising.

What does a QR code scam look like?

Step 1: The fraudster creates the QR code

The QR code could link to a malicious website, download malware to your device, or direct you to a fake payment portal. The fraudsters aim through all of these methods is to get your sensitive information and money.

Qr code

Step 2: The fraudster places the QR code

QR codes online - The fraudster might distribute the QR code through email, social media, on websites, or messaging apps. It could appear to be legitimate communication, advertising a promotion or attached on a fake invoice.

QR codes in the real world - The fraudster might place the QR code on menus, tables, posters, letters, parcels, car park payment machines, or even over legitimate QR codes in public places.

QR scam example 2

 Step 3: The fraudster encourages you to scan the QR code

The fraudster presents the QR code in a way that encourages you to scan it. They might offer discounts or promotions, offer convenient access to information or a menu, or they might state urgent action is needed like account verification or an invoice to be paid. They could even use company branding or logos to make it look more legitimate.

QR scam 3

Step 4: The fraudster gets hold of your sensitive information

You scan the QR code and you are unknowingly taken to a phishing website. You enter your sensitive information - username and password, as well as your credit card details. The fraudster now has access to your details, which they can use to make fraudulent purchases.

QR scam example 4

  • Avoid becoming victim to a QR code scam

    Here are our key tips and things to think about next time you come across a QR code.

Make sure the QR code has not been tampered with

Before you scan a QR code in a public place, make sure it has not been tampered with. A sign of this is a sticker placed over the original QR code. Do not scan these QR codes as they could be a scam.

Check the QR code link

Many devices will allow you to preview the URL when you go to scan a QR code. Make sure the website address is legitimate by checking:

  • that the URL is something you recognise and looks as it should
  • it does not have misspellings or misplaced words
  • that the URL has a padlock symbol and begins with “https://” as this means your connection to the website is encrypted and cannot be intercepted.

If in doubt as to whether the QR code is genuine, you should go to the website or app directly, or speak to a member of staff if you are in a shop or restaurant.