It’s called quishing; a combination of QR code and phishing. Meaning, a square-shaped black-and-white grid that often translates into websites, plain text, map addresses, and so on can also lead to fraud. The thing about QR codes is that they look harmless, and we usually don’t think twice before we scan them away. This is where things get tricky - QR codes can lead to malicious websites as easily as real ones, and you won’t know which one you are getting until you click.

QR codes became popular after COVID-19. They are sometimes your access to the menu at a restaurant, your reach to tickets for an event, or even information about a product you just bought. While QR codes aren’t inherently unsafe(1), hackers can embed malicious URLs in a QR code which, when scanned, can transfer data from your mobile device. Hackers can also embed links that send you to fake or phishing sites, tricking you into sharing personal or financial data(2). So, how do we recognize tampered or hijacked QR codes? Is there a way to spot them before we scan them?

There are two types of QR codes: Static and Dynamic. Static QR codes - from the name - are fixed; the content they point to cannot be altered once created. In contrast, the content of dynamic QR codes can be changed, but only if you can access the user account that originally created it. So there is no risk of data tampering or unauthorized access unless someone has access to the original creator's account. By the way, dynamic codes are more secure than static codes because you can always edit them. Thus, if you are developing a QR code for your business or customers, opt for a dynamic one(1).  

Does that mean that most QR codes are safe? Probably. But we still need to be careful of scammers who can exploit QR codes for fraud by creating malicious ones and placing them in public or everyday spots. Simply scanning a fake QR code won’t damage your device, the risk arises when you follow the links or instructions the malicious code directs you to. For instance, a hacker can make a fake QR Code, stick it over a real one, and trick you into believing it is authentic. That would lead you to a website or app that can contain a virus, expose your financial details, or allow fraudsters access to your phone(1)

QR code scams typically fall into three categories:

  • Fake QR codes that direct you to a website asking for sensitive information, like credit card details.
  • Fraudulent QR codes that trigger the download of malicious software to your phone.
  • QR codes that redirect to non-existent rewards or discounts(3).

The first line of defense is to avoid scanning QR codes from sources you don’t trust, such as suspicious-looking emails, inspect the sender’s email address closely, and confirm it is from a trustworthy source. Rest assured, the QR code for the menu at your local restaurant is usually safe. If you use a QR code scanning application (instead of the camera), use a safe one. It is good to check the design and branding of the QR code because ideally, the content it directs to should have the brand’s logo and colors.

Afterward, examine the URL before taking action to ensure it’s legitimate. Secure websites have HTTPS in their web address (not HTTP) and appear with a padlock symbol next to their URL. However, the QR code can have the company’s graphics and HTTPS in their web address and still be malicious. In this case, look for grammatical errors or typos. You can also use Virustotal to analyze suspicious URLs to see whether or not they are safe to open. Finally, be cautious of QR codes that come with a sense of urgency like “Scan the QR code to verify your identity” or “Avoid deletion of your account”.

If you fall for a QR scam, you would want to have a safety net. Turn on two-factor authentication for every account, log out of devices you don’t use, and double-check that your personal details for account recovery are updated. Another tip is to keep your software (your web browser and mobile operating system (OS)) up-to-date as some of the latest versions issue a warning on screen if you are about to visit a risky site(4).

All things considered, QR codes offer advantages for entrepreneurs, marketers, and others. They are convenient, easy to use, and result in swift audience engagement. QR codes can moreover be used in marketing or promotional campaigns to measure their success by monitoring scan frequency, location, and type of device used.

By educating users - like you today - and adopting digital security practices, we can maximize the benefits of QR codes and minimize their associated risks. This balance will help us make the most of QR codes and enjoy the tool's full potential securely and responsibly.

 

 

Footnotes

  1. Glaspie, Armanii. “Are QR Codes Safe? (+ Answers to Other Security Questions)”. September 12, 2024. 
    https://www.qr-code-generator.com/blog/are-qr-codes-safe/
  2. Kaspersky. “QR Code Security: What are QR codes and are they safe to use?” 
    https://www.kaspersky.com/resource-center/definitions/what-is-a-qr-code-how-to-scan
  3. Puri, Natasha. “Is That QR Code Safe? How To Evaluate and Stay Protected.” January 15, 2025. 
    https://www.uniqode.com/blog/qr-code-security/how-to-check-if-a-qr-code-is-safe
  4. Nield, David. “How to Not Get Hacked by a QR Code.” December 3, 2023. 
    https://www.wired.com/story/how-to-qr-code-hacks-avoid/