top of page

Beware of QR code fraud: How to protect yourself


QR codes have become a normal part of our daily lives. Whether it’s scanning a code to check a restaurant menu, paying for parking, or visiting a company’s website, those little black and white squares are everywhere and can be pretty handy.  

 

What used to be a niche tool has now gone mainstream, especially after the Covid-19 pandemic pushed businesses to embrace contactless options. It's convenient, fast, and incredibly easy. However, as with all things digital, this convenience comes with risks. QR code fraud is on the rise, and we all need to stay alert, but how exactly do we do that? 

 

The rise of QR codes 

Before we jump into the dangers of QR code fraud, let’s take a look at how we got here. 

 

It goes without saying that the pandemic changed many aspects of our lives, especially how we interact with businesses and services. Restaurants, for instance, began relying heavily on QR codes to replace physical menus. You’d walk into a café, find a QR code at the table, scan it with your phone, and voilà – the menu would pop up on your screen. This was of course to minimise contact, reduce the risk of spreading the virus, and improve convenience for both customers and staff. 

 

It didn’t stop at restaurants. Banks, retailers, and even transportation systems began using QR codes more frequently. Whether it’s to track deliveries or authenticate digital payments, QR codes have become second nature. However, that very convenience has opened a door for fraudsters to take advantage of unsuspecting users. 

 

What is QR code fraud? 

Unfortunately, wherever there’s a new technology, there’s someone trying to exploit it. QR codes are sadly no exception. A concerning scam involves criminals replacing legitimate QR codes with their own malicious versions. This can be done physically, by sticking a fake QR code over a legitimate one, or digitally, by creating a link that looks innocent but leads to a dangerous site. QR codes can make this much harder to spot as you have no preview of the link beforehand. 

 

One high-profile example of this involved fake QR codes in parking lots. Scammers stuck their own QR codes over legitimate parking meters. When drivers scanned the code, instead of paying the parking fee, they were unknowingly sending their money to scammers. Worse, some codes led to phishing websites designed to steal personal and financial information. 

 

Another alarming incident involved Sky, the popular television and internet provider. Customers reported being redirected by third-party apps when scanning a Sky QR code for assistance or account management. Unfortunately, they were led to fraudulent websites designed to steal login credentials and personal information. These scams are becoming increasingly sophisticated, especially with advancements in AI technology, making it harder for the average person to distinguish between legitimate and fake QR codes. 


Sky has responded to this by advising customers to scan QR codes only with their phone's built-in camera, not through third-party apps. 

 

How can you spot a fake QR code? 

Now you know what QR code fraud is and the impact it can have, your next question is undoubtedly “how can I spot a fake QR code”. With QR code fraud becoming more widespread, it's really important to stay vigilant. Here are some red flags and precautions you can take to protect yourself: 

 

Check your surroundings 

Before scanning a QR code, take a moment to assess where you are. Is this a place you trust? If you’re in a restaurant, café, or business, the QR code is more likely to be legitimate. However, if you’re in a public space or an unfamiliar environment, be more cautious. Fake codes are often stuck on top of real ones in busy areas like parking lots, bus stops, or public buildings. Take some time to double-check the QR code, and if it looks suspicious, don’t scan it. 

 

Check for tampering 

Fraudsters often place fake QR code stickers over the original ones. Before scanning, quickly run your fingers over the QR code. Does it feel like a sticker? Is it placed oddly or misaligned? These are signs that the code may have been tampered with. If something feels off, it's better to avoid scanning it. 

 

Verify the website URL 

After scanning a QR code, take a moment to review the website link that pops up. Legitimate businesses should have websites that are easy to identify. Always double-check that the URL matches the business you're expecting and look for a secure connection (https) and ensure the website has a padlock icon in the address bar. This indicates that the site is encrypted and safer to interact with. 

 

Be wary of unexpected QR codes 

If you receive a QR code through an unsolicited email, text, or letter, be very cautious. Just because it looks like it came from a trusted source, like your bank, doesn’t mean it’s legitimate, as scammers are getting increasingly skilled at creating convincing copies of official letters or emails. Always verify the source by contacting the company directly before scanning any QR codes. In the case of the Sky postal scam, customers would have been safer if they had visited Sky’s website directly or contacted customer support. 

 

Use a password manager 

Password managers can automatically detect when a website is not legitimate by checking the URL. If a fake QR code directs you to a phishing website, a password manager will not fill in your credentials, offering another layer of protection against scams. 

 

What to do if you’ve scanned a malicious QR code 

Accidentally scanning a fake QR code can happen to anyone, so if you realise you’ve been tricked, act fast: 

 

  • Disconnect from the internet immediately to stop any potential data transmission. 

  • Check your accounts for any unusual activity. This includes bank accounts, email, and social media platforms. It’s a good idea to change all of your passwords even if you don’t spot strange activity and alert the relevant companies. 

  • Report the scam to the business or service provider whose QR code was spoofed. They may not be aware of the issue and can take steps to prevent further incidents. 

 

 

Need some support with your organisation’s cyber security? Contact us today to find out how we can help. 

Comments


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page