QR Code Fraud: What is it and How Can You Protect Yourself?

Click here for a quick guide to QR scams

What is QR Code Fraud and How do You Prevent it? A Brief Summary

QR code fraud is a form of cybercrime where criminals (attempt to) steal your data by having you scan a Quick Response (QR) code. QR codes make it very easy to quickly navigate to specific web pages, such as restaurant menus, but they can also lead you to dangerous phishing schemes or pages infected with malware.

There are many different QR code scams:

• QR code phishing scams
• Stranger-in-need scams
• Online marketplace scams
• QR codes leading to pages with viruses and malware
• Online payment fraud at gas stations and other public locations
• QR code crypto scams

If you want to learn everything about the QR scams mentioned above, how QR fraud works, how to prevent it, and what to do if you’re a victim, read the full article down below.

Over the years, QR code scams have become more and more popular amongst cybercriminals. Just by getting you to scan a fake QR code, they can access your (sensitive) data. Victims can lose large amounts of money this way.

All the more reason to educate yourself on this deceptive form of cybercrime. In this article, we’ll discuss what a QR code is and how QR code fraud works. We’ll also go over the different types of QR code scams, how you can prevent them, and what to do if you’re a victim of QR code fraud.

What is a QR Code?

You’ve surely seen them by now: the complex-looking combinations of black and white squares that make up so-called Quick Response (QR) codes. These codes are often used to link to data and information on the internet. The codes can only be read by machines, most typically a smartphone with a QR code reader. As their name suggests, they were designed to be deciphered and read quickly.

The most familiar uses of these codes, especially post-Covid, include:

• Accessing a restaurant menu on your phone
• Confirming your reservation at a theme park or other venue
• Getting your boarding pass or health questionnaire scanned at the airport

Because of their convenience, QR codes can be found virtually anywhere these days: from advertising leaflets to magazines and from restaurant menus to business cards. It’s a quick and easy way to get people to the online page you want them to access.

Unfortunately, however, cybercriminals increasingly use these codes to “scam scanners.”

How Does QR Code Fraud Work? – Different Types of QR Scams

The goal of QR code fraud is pretty much always the same: getting you to navigate to a page through which cybercriminals can steal your data, money, or both. However, there are many different ways for criminals to do this.

QR code phishing scams: “a modern classic”

You’ve probably heard of phishing. In a phishing attack, a cybercriminal will pose as someone you know or trust so they can obtain your data. Usually, phishing attacks happen via emails, phone calls, or social media. Cybercriminals have now turned to QR codes as well.

Criminals might send you an email, flyer, letter, or message on social media containing a QR code. Scanning it will lead you to a page that prompts you to fill in your personal data or login credentials. The requested data might include sensitive information, like your online banking details. If you fill out this information, you’ll send it straight to the attacker, who can do with it whatever they wish.

Often “phishing QR codes” lead to fake websites that appear to belong to large and trustworthy organizations. Just like regular phishers, QR code phishers often pose as employees of big and important corporations, such as banks and other financial institutions.

An interesting example can be seen in the screenshot below. In this Dutch message, cybercriminals pretend to represent one of the largest Dutch banks (Rabobank) and claim the victim’s debit card is about to expire. The victim is asked to scan the QR code to receive a new card. Of course, this is just an attempt to obtain sensitive information and money from victims falling for this scam.

Stranger in need: a face-to-face QR scam

The essence of face-to-face scams is that someone will approach you in real life with a crafty story as to why you need to scan a QR code. Criminals may approach victims and ask for help with paying for a parking space. They claim that, by scanning a code, the victim can transfer some money to their bank account. The criminals generally promise to give the money back in cash.

Little do the victims know that, by scanning this QR code, they actually give the criminals access to their online banking information. Many victims of this scam have lost hundreds of dollars.

This “stranger in need” QR scam was reported frequently about a year ago in the Netherlands. There have been other examples as well. Strangers might ask victims for money for the metro, for instance. If a scammer is smart enough, they could probably find a hundred different excuses as to why they need you to scan a certain QR code.

Since this scam happens face-to-face in public places, it’s potentially dangerous to virtually anyone. At the same time, it’s one of the harder scams to prevent, since many of us have a hard time saying “no” when asked for help in person.

The online marketplace method

QR-scammers can also approach you on online marketplaces. They might claim they want to buy the goods you’re offering and ask you to scan a QR code so they can make sure they’re transferring the money to the correct bank account. At least, that’s what they tell you. What you’re actually doing, is giving cybercriminals access to your bank account.

A slight variation of this scam was reported a lot in India earlier this year. The state bank of India (SBI) warned its customers about the following scam: criminals approach sellers of second-hand goods online, saying they want to buy a certain product. They even transfer a small amount of money to “check it’s the right bank account” and gain the victim’s trust. After, they ask the victim to scan a QR code to receive the remainder of the money. Instead, however, scanning this code will make the victim lose money.

The video from the SBI below explains the QR marketplace scam in a bit more detail.

As the SBI puts it: scanning a QR code only works to make payments, not to receive them. In other words, if someone claims you need to scan a QR code in order for them to send you money, don’t do it! Money will actually be debited from your account instead.

QR code viruses

A very common question is: Can I get a virus from scanning a QR code? Unfortunately, you can. Cybercriminals can easily embed links to web pages containing viruses and other malware into QR codes. This malware can, in turn, compromise your sensitive data.

In many cases, just scanning the QR code is enough for the malware to do its damage. This is possible because some websites automatically start so-called drive-by downloads of malicious software as soon as you visit them. The last thing you want is to have a website you visit through a QR code download a keylogger on your device. This kind of malware will register everything you type, including sensitive information.

A recent QR code malware scam specifically targets Android phones. According to SecureList by Kaspersky, scanning the QR code leads to a page where victims can download a dangerous Trojan Horse that’s camouflaged as a normal file for their Android device. This Trojan Horse, once installed, sends text messages to a phone number that charges $6 per message received. Presumably, the scammers will end up with this money in their pocket.

QR payment fraud

Another type of QR fraud involves tampering with QR codes or placing fraudulent codes at locations where a lot of online payments are made, such as gas stations that allow for payment through a QR code. Criminals might even cover up legitimate QR codes to fool more victims into using their codes instead.

The difficulty of this kind of QR code scam is that these codes appear in places where you expect to find legitimate QR codes. Criminals use the current systems in place to fill their own pockets. This is why it’s important to remain critical of every QR code you encounter, whether you expected to see one or not.

QR code crypto scams (Bitcoin)

QR codes also play an essential role in cryptocurrency and Bitcoin scams. Many cryptocurrency transactions use a QR code to transfer money. If the QR code you scan has been tampered with, it can cost you a lot of money.

One example of a Bitcoin QR scam is a so-called giveaway scam, as you can see in the screenshot below. In these schemes, users are made to believe they can transfer crypto to a certain Bitcoin wallet and get twice as much in return. Needless to say, only the first part is true.

How to Protect Yourself from QR Code Scams

QR scams are getting increasingly deceptive, which is why it’s important to recognize and prevent them. The basis of preventing QR scams is to never scan a QR code you don’t trust. Aside from that, more specific preventive measures depend on the scam you’re (potentially) facing:

• If you receive a suspicious message with a QR code that has, supposedly, been sent by a large institution, such as a bank, always contact the company or institution directly to find out whether the message actually came from them.
• Remember that QR codes are generally used for paying money, not for receiving it. If someone asks you to scan a code to get paid, this is most likely a scam. You’ll be debited the amount instead of receiving it. Or worse: you could be giving criminals access to your bank account.
• Install some good antivirus software on your device. This way, if you do scan a malicious QR code, at least you’re better protected against any potential malware.
• If you come across a QR code you don’t trust, but you want more information about the service or product offered, try to look for information manually first and see if it checks out. Make sure you don’t use any of the contact information that was sent along with the suspicious QR code.
• Don’t be afraid to say “no” to strangers in need who ask you to scan a QR code. If you find it difficult to turn them down, you can always say you’re in a hurry.
• Ideally, avoid using QR codes to transfer Bitcoin and other cryptos. You can use a QR code to transfer crypto from your broker to your own wallet, of course. Even then, however, using the regular address instead allows you to double-check before you press “send.”
• Regularly check a scam alert website or app to keep up-to-date with new (QR code) scams. You can even help others stay safe by reporting any (potential) scams you encounter. A great platform we recommend is the Better Business Bureau’s scam alert, though that is mostly aimed at North America.

What to Do if You Become a Victim of a QR Code Scam

If you have become a victim of QR code fraud and you feel your bank account has been compromised, we strongly recommend you follow these steps to mitigate the damage:

1. Contact your bank and tell them to temporarily block your account. If not, you might find the criminals who scammed you taking every last dime from your account.
2. Run a virus scan to make sure the malicious URL embedded in the QR code didn’t contain any malware.
3. If the QR code took you to a phishing website where you filled out personal information and passwords, change these passwords. If you used the same passwords for any other accounts, change them there, too. Use strong and unique passwords to keep your accounts secure.
4. If the scammer approached you on a website, online marketplace, or app, report their username on that platform. Also report the scam on a scam alert website, such as the Better Business Bureau’s website. This will help others avoid becoming a victim of the same trick.
5. If possible, press charges against the criminals that scammed you. Your best bet here is to contact your local police office or national cybercrime report center. If you’re from Europe, you can find a list of platforms to report cybercrime on Europol’s website. When you’re a US citizen, you can contact the IC3.

Don’t Scan a Scam

There are many QR code scams to look out for. Examples include fake letters with QR codes claiming to come from large institutions and companies, QR code-embedded URLs containing malware, and crypto scams. They often use QR codes to commit large-scale CEO fraud as well.

Many QR scams are combined with other scams, such as phishing, and require you to fill out your details for them to be stolen. However, there are also scams where simply scanning a QR code already gets you into trouble, such as online payment scams and QR Bitcoin scams.

That’s why it’s important to be wary of QR codes, especially from sources you’re not familiar with. Remember: don’t scan a scam!