In recent months, there has been a noticeable surge in phishing endeavours employing QR codes. QR, or ‘quick response,’ codes are widely utilised 2D barcodes enabling smartphone users to swiftly scan and access digital content.

Regrettably, cyber malefactors have seized upon this trend, exploiting the relative vulnerability of scanning QR codes on smartphones compared to receiving website links on laptops or desktops. This article aims to elucidate the various manifestations of QR code scams, elucidate methods for identification, and provide guidelines for safeguarding oneself.

Three Variants of QR Code Scams

Cybercriminals employ diverse online and offline tactics to steer individuals toward deceptive websites, seeking unauthorised access to sensitive information.

Kaspersky highlights a significant aspect, noting that while many recognise the capacity of QR codes to open URLs, awareness may be lacking regarding additional actions QR codes can instigate on a user’s device. These actions encompass directing users to sites attempting drive-by downloads or executing tasks like adding contacts or composing emails.

1. Within Phishing Emails

Resembling traditional phishing emails, scammers assume the guise of reputable entities but substitute the customary hyperlink with a QR code. Upon scanning, users are directed to a deceptive website prompting the input of personal information. Confense Email Security reports a staggering 2400% surge in malicious QR code phishing volume since May 2023.

2. Mail Delivery

Scammers may dispatch QR codes via postal mail, asserting recipients have won a prize or missed a delivery, providing instructions for claiming the supposed reward.

3. Public Distribution

Instances in England have surfaced where fraudsters strategically placed counterfeit QR codes on parking metres, aiming to capture payment card details from unsuspecting users. Subsequently, these scammers made small unauthorised withdrawals from the affected accounts.

Identifying Malicious QR Codes

Exercise scrutiny similar to assessing any phishing email. If a QR code within an inbox email appears dubious, rely on instincts and refrain from scanning. 

Install a reputable QR code scanner app on your smartphone, such as the camera app, Microsoft, or Google Lens. These apps may provide options to copy the link for external validation. Additionally, ensure that alerts for malicious websites are activated in your settings.

Protecting Against Fraudulent QR Codes

Genuine services seldom use QR codes as entry or payment gateways. Organisations like Duo Security and HMRC typically present QR codes only after users have securely logged into designated portals.

Uncertain about a QR code’s legitimacy? Conduct online research on the company and verify authenticity independently. Refrain from using contact details provided in scrutinised emails. If directed to a suspicious website from a personal inbox, report it to the National Cyber Security Centre online.

Maintain up-to-date security patches on all devices, particularly smartphones. As new scams emerge, updates may introduce features enhancing user safety. For more information, refer to our previous post on ‘the importance of updates.’

Frequently asked questions

Q1: What are QR code scams, and why should I be concerned about them?

A1: QR code scams involve deceptive tactics where cybercriminals use QR codes to redirect individuals to fraudulent websites, posing risks to personal information and security.

Q2: How can I recognise a malicious QR code to ensure safe scanning?

A2: Look for unusual content, discrepancies in emails, or unexpected sources. Trust your instincts and employ the guidelines outlined in the blog to identify and avoid malicious QR codes.

Q3: What types of QR code scams are prevalent, and how do they operate?

A3: Cybercriminals use phishing emails, postal mail, and public distributions to distribute deceptive QR codes. This blog details these methods, providing insights into their operation.

Q4: Why are QR codes in phishing emails a growing concern for online security?

A4: QR codes in phishing emails present an elevated risk as they can lead to fraudulent websites, compromising sensitive information. This blog discusses this concern and ways to mitigate it.

Q5: How do scammers utilise QR codes in postal mail, and how can I avoid falling victim?

A5: Scammers may send QR codes via mail with false claims. Learn to identify and avoid these scams by understanding the tactics used and being cautious of unexpected mail.

Q6: Are certain industries more prone to QR code scams, and if so, why?

A6: Explore whether specific industries are more susceptible to QR code scams and understand the underlying factors contributing to their vulnerability.

Q7: What actions can I take to protect myself from QR code scams in public spaces?

A7: This blog offers guidance on safeguarding against QR code scams in public areas, including tips on using secure payment methods and staying vigilant.

Q8: Should I trust QR codes received in emails from seemingly reputable sources?

A8: Exercise caution with QR codes in emails, even from seemingly trustworthy sources. This blog provides insights into potential risks and ways to verify authenticity independently.

Q9: How do QR code scanner apps contribute to avoiding scams, and which ones are recommended?

A9: Learn about the importance of using reputable QR code scanner apps, including popular options like the camera app, Microsoft, or Google Lens, to enhance your overall protection.

Q10: What steps should I take to report a suspicious QR code or potential scam to authorities?

A10: This blog outlines the proper channels and procedures for reporting QR code scams, ensuring a prompt response from relevant cybersecurity authorities.