Table of Contents
How QR Codes Work
QR (Quick Response) codes are two-dimensional barcodes that encode data in a pattern of black and white squares. Originally developed in 1994 for tracking automotive parts, they have become a ubiquitous part of daily life, appearing on restaurant menus, parking meters, product packaging, event tickets, and payment terminals.
A QR code can encode several types of data: a URL that opens in your browser, plain text, contact information (vCard), Wi-Fi network credentials, email addresses, phone numbers, or geographic coordinates. When you scan a QR code with your phone's camera, the device decodes the pattern and takes the appropriate action, such as opening a website or connecting to a Wi-Fi network.
The critical security issue is that humans cannot read QR codes visually. Unlike a printed URL that you can inspect before typing it into your browser, a QR code is opaque until your device decodes it. This opacity is exactly what attackers exploit.
Types of QR Code Scams
Quishing (QR Code Phishing)
Quishing is the most common QR code attack. Attackers create QR codes that direct victims to convincing phishing websites designed to steal login credentials, financial information, or personal data. These codes might appear in phishing emails, on fake flyers posted in public places, or even on stickers placed over legitimate QR codes.
A typical quishing attack might involve a fake parking meter sticker with a QR code that leads to a fraudulent payment page. The victim believes they are paying for parking but is actually entering their credit card information on an attacker-controlled site.
Physical Overlay Attacks
In overlay attacks, criminals place a sticker containing a malicious QR code directly over a legitimate one. This technique is particularly effective at restaurants, bus stops, trailheads, and other public locations where QR codes are posted for convenience. The victim has no reason to suspect the QR code has been tampered with because it appears to be part of the original signage.
Payment Fraud
QR codes used for payment systems are attractive targets. Attackers can replace merchant QR codes with their own, redirecting payments to their accounts. In markets where QR-based payments are widespread, this type of fraud has resulted in significant financial losses. The merchant often does not realize the substitution has occurred until they notice missing payments.
Malware Distribution
While less common on modern smartphones due to improved security, QR codes can link to malicious file downloads. On Android devices especially, a QR code might direct the browser to download an APK file that, if installed, grants the attacker access to the device. Even on iOS, malicious QR codes can lead to websites that exploit browser vulnerabilities.
How to Scan QR Codes Safely
Always Preview the URL Before Visiting
Modern smartphone cameras and QR scanning features display the decoded URL before opening it. Take a moment to read the URL carefully. Check that the domain name matches what you expect. A QR code at a Starbucks should lead to starbucks.com, not starbucks-rewards-claim.com or starbvcks.com. Watch for subtle misspellings, unusual top-level domains, and unnecessarily long URLs with many parameters.
Use Your Phone's Built-In Camera
Your phone's default camera app is the safest QR code scanner. Both iOS and Android have built-in QR code reading capabilities that display the URL before taking action. Avoid downloading third-party QR scanner apps, as some have been found to contain adware, unnecessary tracking, or even malware themselves. The built-in scanner does everything you need.
Inspect Physical QR Codes for Tampering
Before scanning a QR code in a public place, look for signs that a sticker has been placed over the original code. Check for raised edges, misaligned graphics, differences in print quality, or codes that appear to have been stuck on top of existing signage. If something looks off, do not scan it.
Never Enter Sensitive Information on QR-Linked Pages
If a QR code leads you to a page requesting login credentials, credit card numbers, or personal information, stop and navigate to the website directly by typing the known URL into your browser. Legitimate organizations will not require you to enter sensitive data through a QR code landing page.
Be Skeptical of Unsolicited QR Codes
Treat QR codes in unexpected emails, text messages, or mail with the same suspicion you would apply to unsolicited links. An email claiming your package delivery requires scanning a QR code is almost certainly a phishing attempt. Similarly, QR codes posted randomly on street poles or slipped under your windshield wiper should be avoided.
QR Codes and Your Privacy
Beyond outright scams, QR codes can be used for tracking purposes. Dynamic QR codes, where the destination URL is controlled by a server and can be changed after creation, often include tracking parameters that identify when, where, and how often the code was scanned. Marketing QR codes routinely collect data about your device, location, and scanning behavior.
If you are privacy-conscious, consider using our URL shortener to create your own clean QR codes for sharing links, rather than relying on third-party QR code generators that may embed tracking. When scanning marketing QR codes, be aware that you are likely being tracked, and consider whether the convenience is worth the data exposure.
What to Do If You Scanned a Suspicious QR Code
If you realize you scanned a malicious QR code, act quickly. Close the browser tab immediately without entering any information. Clear your browser cache and cookies. If you entered any credentials, change those passwords immediately using a strong password from our password generator. Monitor your financial accounts for unauthorized transactions. Run a security scan on your device if you downloaded any files. Report the malicious QR code to the business or location where you found it so they can warn others and remove it.
QR codes are a convenient technology, but their opacity makes them a natural tool for attackers. A few seconds of caution before acting on a scanned QR code can prevent significant harm.
Share this article
Raimundo Coelho
Cybersecurity specialist and technology professor with over 20 years of experience in IT. Graduated from Universidade Estácio de Sá. Writing practical guides to help you protect your data and stay safe in the digital world.
