QR codes are everywhere these days. They are square barcodes that can store various kinds of data, such as URLs, text, or contact information. They can be scanned by a smartphone camera to access the encoded information with a single tap. They offer convenience and efficiency for both businesses and consumers, especially in the context of the COVID-19 pandemic, which has increased the demand for cashless and contactless transactions.

However, QR codes also pose significant security risks, as they can be exploited by cybercriminals to launch phishing attacks, steal personal or financial information, or infect devices with malware. Unlike regular links or attachments, QR codes are not easy to inspect or verify before scanning. They can also be manipulated or replaced by malicious actors to deceive unsuspecting users. In this article, we will discuss some of the common QR code scams and how they work, as well as some of the recent hacking attempts that have used QR codes for malicious purposes. We will also provide some tips on how to use QR codes safely and avoid falling victim to these threats.

Common QR code scams and how they work


One of the most prevalent QR code scams is the overlaid QR code, where a fraudster prints out a fake QR code sticker and places it over a legitimate one. This can happen in various scenarios, such as in shops, restaurants, parking meters, or public spaces. The fake QR code may lead the user to a phishing website that mimics the original one, or to a malicious app that requests permissions or downloads malware. For example, in China, a bike-sharing scheme was targeted by scammers who replaced the QR codes on the bikes with their own, which redirected users to a fake payment app that stole their money².

Another QR code scam is the bait-and-switch, where a fraudster entices the user to scan a QR code by offering a tempting deal, a free gift, or a donation to a charity. The QR code may then take the user to a fraudulent website that asks for personal or financial information, or to a malicious app that installs malware or ransomware. For example, in the UK, a scammer sent out text messages claiming to be from the National Health Service (NHS), offering a free COVID-19 test kit. The text message contained a QR code that directed users to a fake NHS website that asked for their bank details.

A third QR code scam is the social media scam, where a fraudster uses a QR code to promote a fake or hacked account on a social media platform, such as Facebook, Instagram, or Twitter. The QR code may appear on a post, a comment, or a direct message, and may claim to offer a prize, a discount, or a follow-back. The QR code may then lead the user to a phishing website that asks for their login credentials, or to a malicious app that hijacks their account or steals their data. For example, in the US, a scammer posted a QR code on Twitter, claiming to be a celebrity and offering a chance to win a free iPhone. The QR code took users to a fake Apple website that asked for their Apple ID and password.

Recent hacking attempts using QR codes


QR code scams are not only limited to individual users, but can also target organizations and businesses. In some cases, hackers have used QR codes to exploit vulnerabilities in software or hardware, or to gain access to sensitive systems or networks. Here are some of the recent hacking attempts that have used QR codes for malicious purposes:

How to use QR codes safely


QR codes are not inherently malicious, but they can be used as a vector for cyberattacks. Therefore, users should be cautious and vigilant when scanning QR codes, and follow some basic security practices, such as: