QR code scams and how to avoid them

Lyle Docherty
Thursday 21 September 2023

There has been a rise in phishing attempts containing QR codes in the last month. A QR or ‘quick response’ code is a popular type of 2D barcode that allows anyone with a smartphone to scan and read the digital content.

Unfortunately, cybercriminals have been exploiting this trend as scanning a QR code on your smartphone has fewer layers of protection than receiving a website link on your laptop or desktop. This blog will detail the different types of QR code scams, how to recognise them, and how to protect yourself.

Three different types of QR code scams

Cybercriminals are using several methods, online and offline, to direct you to fraudulent websites to gain access to your sensitive information.

Kaspersky notes that while many are aware “that QR codes can open a URL, they can be less aware of the other actions that QR codes can initiate on a user’s device.” These actions include directing you to drive-by downloads where the website attempts to install malware, as well as adding contacts or composing emails.

1. Within phishing emails

Like traditional phishing emails, the scammer will pose as a reputable company but include a QR code instead of a link. Once you scan the code, you’re taken to a website which asks you to enter your personal information. Confense Email Security have reported a 2400% increase in malicious QR code phishing volume since May 2023.

2. Delivered to you as mail

Scammers may also send out QR codes by post, claiming that you have won a prize giveaway or missed a parcel delivery, with directions for you to follow to make a claim.

3. Distributed in public

Last month in England, there were several reports of fraudsters planting fake QR codes on parking meters to capture payment card information from car park users. The scammers went on to withdraw small amounts of money from the accounts.

How to spot a malicious QR Code

Scrutinise the surrounding content like you would any other phishing email. If something about a QR code within an email in your University inbox seems off or suspicious, trust your instincts and don’t scan it. Use the ‘four ways to spot a phishing email’ blog post for telltale signs. Report these to [email protected].

Install a reputable QR code scanner app on your smartphone like your camera app, Microsoft or Google Lens. These may offer options to copy the link as well as open it, so you can paste elsewhere and check its validity. You should also check your settings to ensure that alerts for malicious websites are turned on.

Ways to protect yourself from fraudulent QR codes

Very few services will use QR codes as a point of entry or payment. Organisations that do use QR codes, such as Duo Security and HMRC, will present QR codes after you have logged into a secure portal.

If you aren’t sure whether the QR code is legitimate, look up the company details online and ask them to confirm its authenticity. Don’t use the details provided in the email you are scrutinising. If you are directed to a scam website from your personal inbox, you can report it online to the National Cyber Security Centre. If using your University email, contact [email protected].

Keep your devices, especially your smartphones, updated with the latest security patches. As new scams rise in popularity, new features to help users stay safe may also be released. Read our earlier post ‘the importance of updates’ for more information.

Related topics

Subscribe to the IT Services blog

Enter your email address to subscribe to this blog to receive notifications of new posts.