QR codes are having a moment. The humble squares may have been around since 1994, but it wasn’t until the COVID-19 era that they became a truly household name. These days, you can spot them all over the place, with the codes put to use for everything from displaying restaurant menus to facilitating contactless transactions to being built into contact tracing apps.

Much like any other popular technology, however, the widespread use of QR codes has also caught the attention of scammers, who have co-opted them for nefarious purposes. This trend has even prompted an alert from the United States’ Federal Bureau of Investigation (FBI). In this article, we’ll look at how fraudsters use the codes for illicit profit and what to watch out for when scanning a QR code.

What is a QR code and how does it work?

Short for ‘Quick Response’, a QR code is a type of machine-scannable barcode that, as implied by its name, is designed to be read and interpreted instantly by a digital device. A QR code can store up to 4,296 alphanumeric characters, although the commonly used ones tend to contain fewer characters and so allow for easy decoding by a smartphone’s camera.
The text strings that are encoded within a QR code may contain a variety of data. The action prompted by reading a QR code depends on the application that is interacting with said code. The codes may be used to open a website, download a file, add a contact, connect to a Wi-Fi network, and even make payments, among many other actions. QR codes are highly versatile and can be customized to include logos. Dynamic versions of QR codes even allow you to change the contents or action at any time. This versatility may be a bit of a double-edged sword, however. 

How QR codes can be exploited

The vast number of QR code use cases (and the potential for misuse) isn’t lost on fraudsters. Here’s how criminals can co-opt the codes to steal data and money:

1. Redirect you to a malicious website to steal sensitive information

Phishing attacks don’t spread only by emails, instant messages, or texts. Just as attackers can use malicious ads and other techniques to direct victims to fraudulent sites, they can do the same with QR codes. This is especially a concern if the codes are put up in adverts in busy areas or near banks or other financial institutions. In one widely reported recent case, scammers placed fraudulent QR code stickers on public parking meters in several cities in Texas, directing people to phony payment sites.

2. Download a malicious file on your device

Many bars and restaurants use QR codes to download a PDF-format menu or install an app enabling patrons to place an order. Attackers could easily tamper with the QR code to try to trick the potential victim into downloading a malicious PDF file or a rogue mobile app.

3. Trigger actions on your device

QR codes can trigger actions directly on your device, with these actions depending on the application that is reading them (indeed, watch out for bogus barcode scanning apps). However, there are some basic actions that any basic QR reader is capable of interpreting. These include connecting the device to a Wi-Fi network, sending an email or SMS message with a predefined text, or saving contact information on the device. While these actions in themselves are not malicious, they could be used to corral a device into a compromised network or send messages on the victim’s behalf.

4. Divert a payment or make requests for money

Most financial apps today allow making payments through QR codes that contain data belonging to the recipient of the money. Many stores display these codes to their customers and so facilitate the transaction. However, attackers could modify these QR codes with their own data and receive payments into their accounts. It could also generate codes with money collection requests to deceive buyers, as happened to these users who reported that they were scammed by fake payment QR codes.

5. Steal user identity or access to an application

Many QR codes are used as a certificate to verify a person's information, such as their ID or vaccine pass. In these cases, the QR codes may contain information that is as sensitive as the information contained in their ID or medical records, which an attacker could easily obtain by scanning the QR code.

To be sure, many apps, such as WhatsApp, Telegram or Discord, sometimes use QR codes to authenticate user sessions and so allow users to access their accounts. As has already happened with WhatsApp, with attacks such as QRLjacking, attackers can trick a user by impersonating the identity of the service and tricking the user into scanning the QR provided by the attacker.

In most scenarios, the attacker will need to generate a malicious QR code that will replace the original one. In other words, the attacks involve social engineering and rely on duping the victim into taking an ill-fated action.

Here’s what to consider before scanning a QR code:

Tips for staying safe while using QR codes

  • Before scanning a QR code, check that it has not been tampered with; for example, verify that it doesn’t cover up another QR code.
  • Refrain from scanning randomly found QR codes or codes in unsolicited messages.
  • Exercise the same caution with the codes as when handling links or attachments in emails or messaging apps.
  • Be very careful when it comes to using a QR code to pay a bill or conduct another kind of financial transaction. Consider using another payment option.
  • Disable the option to perform automatic actions when scanning a QR code, such as visiting a website, downloading a file, or connecting to a Wi-Fi network.
  • After scanning, look at the URL to check that it’s legitimate. Even so, it may often be better to avoid inputting your login or personal information on a site you’ve landed on via a QR code. If something feels off, open a browser and type the URL yourself.
  • Do not share QR codes containing sensitive information, such as those used to access apps or those included in documents and health certificates.
  • When generating a QR code, use a reputable service. Such a service can also verify that the QR is genuine and performs the desired action.
  • Keep your apps up-to-date and use security software.