QR Codes or Quick Response Codes aren’t new, but have gained massive traction over the past decade, especially after COVID-19. Chances are you’ve scanned at least one QR Code today before reading this article.
But, as with every tool, the question arises: Are all QR Codes safe to scan?
Several QR Code scams have come to the forefront and are said to be on the rise. Innocent scanners who failed to identify a fake website, or accidentally gave their credit card details away, have been victims of tampered QR Codes.
So, how can you be wary of such hijacked or tampered QR Codes? Is there any way to detect them? Or what are the next steps if you’ve accidentally scanned an unsafe QR Code?
In this article, we talk about QR Code scams, how to check if a QR Code is safe or fraudulent and tips to make QR Codes safer.
Table of contents
- What are some types of QR Code scams
- How to check if QR Code is safe
- What to do if you’ve scanned a fraudulent QR Code
- Frequently asked questions
What are some types of QR Code scams?
Quishing or QR Code phishing is when hackers trick users to exfiltrate their sensitive data .
Upon scanning a malicious QR Code, uninitiated users submit their private information or download malware onto their mobile devices.
QR Code scams are often of three types:
- A fraudulent QR Code that leads to a website that prompts users to enter their personal information like credit card numbers
- Fake QR Codes that initiate the download of a malicious software on your mobile
- Scanning a QR Code that takes you to fake offers like rewards and discounts that don’t exist
It is due to these scams that authorities the world over, including the FBI, have issued a warning against malicious QR Codes.
How to check if a QR Code is safe
✅Safe QR Code | ❌Fake QR Code |
Customized design on QR Code and the website it leads to | Generic design and website missing branding with grammatical errors, typos, a time limit to put in your details or other scare tactics |
Sent from legitimate email address with business domain | Sent from fake, misspelled email addresses, usually without business domain |
No signs of physical tampering in physical QR Code | Signs of tampering, such as a sticker placed over the original QR Code |
HTTPS secure website URL | HTTP, or other website URL |
Trusted source | Unknown source such as phishing emails |
Be it a restaurant, a parking meter or a suspicious email, a QR Code scam may be anywhere. But instead of avoiding QR Codes altogether, here are a few ways to ensure your next QR Code scan is not a scam:
1. Use safe QR Code scanning apps (if required)
There was a time when you needed to download an app to scan QR Codes.
Today, however, if you have an Android (8 and above) or an iOS (11 and above), you simply need to point your native camera app to the QR Code to scan it.
If a QR Code requires you to download a scanning app, it might be a scam as these third-party apps ask for permissions unrelated to scanning a QR Code. It is also a sneaky way to hide malware.
Need to use a safe QR Code scanner? Ensure that you pick from our list of best QR Code scanner apps.
💡Pro tip: If you’re using a QR Code scanning app, always verify the data collection permission the app requests. QR Code scanning apps do not collect personally identifiable data according to anti-virus firm Kaspersky. It can only collect location, time of scan and device OS data.
2. Check the source of your QR Code
QR Code phishing emails have become increasingly common. These emails might contain a fraudulent QR Code that hides malware.
Some hackers might impersonate a brand, making it tricky to spot a fake. This is why it is essential to inspect the sender’s email address closely and check if the domain is blacklisted, and avoid scanning QR Codes from unknown sources altogether.
In the above image, a phishing email is disguised as a Microsoft Outlook email asking an unsuspecting user to scan the code to secure their password.
3. Check the design and branding
Most brands create customized QR Codes based on their branding. They might add their logo to the QR Code, use brand colors etc., to trigger brand recall, and as a trust-building component.
Additionally, the content that the QR Code redirects to should ideally have the brand’s URL, logo and design elements in the final destination.
A big red flag is when the website doesn’t contain any branding. In fact, if you see grammatical errors and typos, consider it a warning.
4. Check for any evidence of tampering
Scammers are known to replace authentic QR Codes with fraudulent ones by sticking their fake QR Code over the original design.
These new QR Codes can redirect you to phishing websites that can steal all your personal information.
Simply put, one must watch out for any tampering of QR Codes especially on restaurant menus and outdoor advertising.
5. Examine and preview the URL
Fake QR Codes often lead to a phishing website or an illegitimate app designed to either capture your personal information or steal money.
Instead of scanning a suspicious QR Code, it makes sense to first preview the URL and check if it is a secure website.
Secure websites include HTTPS in their web address and not HTTP. They also appear with a padlock sign symbol near the URL.
On the other hand, a malicious domain might use an incorrect spelling of the intended brand name or a misplaced letter.
What to do if you’ve scanned a fraudulent QR Code
If you’ve already entered some sensitive information and realized that you might have been the victim of a scam, take these steps immediately:
- Change your passwords and add two-factor authentication to important accounts. This is important if you think your personal data could have been accessed.
- Inform your bank to let them know of a potential scam so that preventive measures can be taken. The bank can block your account and even help you set up a new one if needed.
- Sign-up for a virus or identity theft protection software to safeguard yourself. Such a software is designed to detect, prevent and remove any kind of threat to your data.
Make safe QR Codes with Uniqode
If you’re someone looking to create secure QR Codes, this is for you.
A QR Code is as safe as the QR Code generator you choose to use. Platforms like Uniqode deploy industry-leading security measures to keep QR Codes safe from threat actors:
1. Ability to customize the domain
Along with customizing the branding and adding elements like your company logo, a safe QR Code generator that allows you to customize the domain is a keeper.
This means if you have a website, for instance, peekaboo.com, you can map it to qr.peekaboo.com
2. SSO or Single Sign On
A QR Code generator like Uniqode is SSO-compliant, which means that it can restrict logins to a few trusted employees, adding another layer of security.
3. GDPR compliance
Customer data is the holy shrine for businesses and must be protected at all costs. Uniqode is GDPR-compliant. It means that it encrypts its customers’ data, restricts access to personal information, and ensures they remain confidential.
4. Ability to password-protect QR Codes
Entities like banks might want to share password-protected QR Codes for bank statements and so on. This feature adds a layer of security and keeps hackers at bay.
5. Age-gated content
Some QR Code generators also offer the option to restrict content based on age. An example for this can be a restaurant or bar menu that typically restricts serving alcohol to underage teens.
Uniqode is SOC 2® Type 2 certified. It means that the American Institute of Certified Public Accountants (AICPA)has given their stamp of approval on our ability to manage your data securely.
This thorough audit process shows that Uniqode has developed a strong ecosystem to fight against internal and external threats.
Frequently asked questions
1. Are QR Codes safe to scan?
While overall QR Codes is a safe technology, there have been several cases of phishing, identity theft and malware being downloaded to the user’s phone through inauthentic QR Codes. To prevent this, one should definitely take some precautions before scanning a QR Code, such as:
- Check the source or sender of the QR Code
- Preview the URL before opening it
- Check for any physical tampering i.e. a sticker being placed on the original QR Code
- Don’t give any personal information without double checking the URL and the brand
2. What are the risks with QR Codes?
While not all QR Codes are unsafe, there are scammers using this technology to capture personal data to steal money or a user’s identity. These scams are usually of the following types:
- Scanning a fraudulent QR Code can lead to a malware being automatically downloaded to your mobile device through which hackers can access your personal information
- Scammers also send phishing emails which again involve giving away credit card numbers or such information
- Fake offers and discounts are also promoted through these QR Codes, misleading people
- Inauthentic QR Codes are stuck on top of the legitimate ones in cases of physical tampering.
It is important to exercise caution when scanning QR Codes and double checking the source in case of any suspicion.