How to Spot a Fake QR Code and Avoid Getting Scammed
Criminals are creating fake QR codes to scam unsuspecting people. Here's how to stay safe.
As a way to reduce contact during the pandemic, businesses put QR codes to good use, enabling people to safely order food, pay for parking, redeem offers, and more, all without risking COVID-19 transmission. These codes quickly integrated into our daily lives—and scammers noticed. They began positioning a fake QR code in places QR codes were used legitimately, making it hard to know which ones to trust. The FBI has even warned about this malicious attack.
In a world of love bombing and credit card skimmers, we need to be vigilant about circumstances that don’t feel right. Scams related to shopping are rampant—from brushing scams to Amazon email scams to gift card scams—but QR codes are relatively new, which is part of what makes them dangerous. “Individuals may be used to receiving scam emails,” says Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance. “But they may not be aware that QR codes are now a cyber threat as well and oftentimes scan these codes without even thinking twice about potential cybersecurity consequences.”
It’s pretty easy to create a fake QR code, and it can be difficult to determine if a code is real before you scan. But there are some ways to protect yourself and maintain online security. Keep reading to find out how.
Can you fake QR codes?
Unfortunately, it’s pretty easy for scammers to make a fake QR code online for free. “Since QR codes just look like a bunch of lines and blobs to most of us, it’s really difficult to spot a fake QR code,” says cybersecurity attorney Eva Novick.
Cybercriminals often print fake QR codes on stickers and replace legitimate QR codes with phonies on flyers and other collateral items. As with other cybercrimes, like phishing attacks, the goal is to fool you into revealing sensitive information.
Are fake QR codes dangerous?
The term “fake QR code” may be a bit misleading, and it could fool you into thinking there’s no harm. After all, the codes are fake, right? Not exactly, says Zack Morrison, chief technology officer and cofounder of Brij, a platform for brands to create QR code experiences for their products.
“I wouldn’t use the term ‘fake QR codes’ but maybe use the term ‘fraudulent QR codes,'” he says, “the distinction being that a QR code can be real—it’s functional and will take the user to a website when scanned—but it may be designed to take the user to a fraudulent website that is posing as a legitimate site.”
Follow a fake QR code to a fraudulent site, and you could run into security risks. Your log-in credentials, credit card information, and financial information might be stolen. You could unknowingly make payments to phony vendors. Or your device could become infected with malware that can steal your personal information—and it can be hard to know when there’s malware or spyware on your computer, tablet, or phone.
How can you tell if a QR code is real?
If the naked eye can’t detect a fake QR code, how are we supposed to know if it’s legitimate or phony? Eric Florence, a cybersecurity analyst with SecurityTech, offers sound advice—trust your gut—but also a telltale sign a QR code is fake. “A legit QR code is never going to take you to a page that tries to scare you into inputting your personal information,” he says. “If there are any fear tactics or time constraints, it’s a scam.”
QR codes are everywhere these days, but a QR code on a flyer might not be safe to scan. “Make sure that you are getting that code from a trusted source,” says Craig Lurey, chief technology officer and cofounder of Keeper Security. “If the code doesn’t look like it fits with the background, don’t scan it.”
Casey Crane, a cybersecurity expert with web security company SSL Store, warns against sticker QR codes. “If the QR code you’re about to scan is a sticker,” she says, “it’s possible that someone may have added it after the legitimate company’s flyer was posted.”
If you’re at a restaurant or store, double-check with an employee to make sure the business is using the QR code. “It’s possible that someone may have posted a QR code flyer or resource without them noticing it,” Crane says, and it’s better to be safe than sorry.
Finally, though smartphone cameras aren’t sophisticated enough to know if a code is secure or not, there’s a trick you can try to determine whether a QR code is safe. “Most new smartphone and mobile device cameras will show you a preview of a code’s URL as you start to scan it,” says James Turgal, vice president of cyber risk for Optiv Security. “If the URL looks strange, don’t continue.”
How can you protect yourself?
“Once you’ve scanned a QR code, look at the URL of the website to ensure that it is legit,” says Kristen Bolig, CEO of home security company SecurityNerd. “For example, it should start with ‘https://’ and not ‘http://.'”
The best way to protect yourself from falling victim to a fake QR code is to follow the same precautions you’d take to avoid other cyber scams. For QR codes, ask yourself if the URL looks correct. “Make sure to pay attention to small spelling errors,” Novick says. “Gooogle.com and Googgle.com are not the same sites as Google.com.”
The experts unanimously agree that if you scan a code and it takes you to an unrelated site, exit immediately. Avoid downloading QR scanner apps, says the FBI. They raise your risk of downloading malware. Instead, download these security apps to protect yourself, and be sure you have two-factor authentication set up for all your accounts. That way, if you accidentally download malware, it’ll be harder for hackers to get to your passwords list.
If you have any question as to whether a site is safe, open a browser and type in the site name. “Being smart and observant can help you protect yourself from most online scams,” Novick says.
- Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance
- Eva Novick, cybersecurity attorney with Foster Garvey
- Casey Crane, cybersecurity expert with SSL Store
- Eric Florence, cybersecurity analyst with SecurityTech
- Craig Lurey, CTO and cofounder of Keeper Security
- Zack Morrison, CTO and cofounder of Brij
- James Turgal, VP of cyber risk for Optiv Security
- Kristen Bolig, CEO of SecurityNerd