That QR Code Might Not Lead Where You Think It Does

Scammers are using QR codes to mask harmful URL links

Got a smartphone? You’ve likely encountered a QR (Quick Response) code. Maybe you’ve pointed your phone’s camera at one, or placed your phone against a scanner to let the machine read a QR code on your screen. It’s a quick and useful way to access and share information. However, as with just about every form of technology today, scammers have figured out how to misuse QR codes for their own malicious purposes.

The Federal Trade Commission (FTC) recently issued a warning about fraudsters using fake QR codes to trick people into giving away their personal information. There’s even a term for it in the cybersecurity industry: quishing, a variation on phishing, in which fraudsters send fake messages designed to steal personal data or download spyware or malware onto devices.

Here’s a closer look at QR codes, how scammers can manipulate them, and what you can do to stay protected against this latest risk.

How QR codes work, and where they’re found

A QR code is a square-shaped grid that looks like a cross between a product bar code and a complex maze. Each one contains a unique pattern of black boxes and lines against a white background. (It may also include a logo or icon associated with a brand, although that doesn’t guarantee its legitimacy.) The size of the code can range from tinier than a postage stamp to larger than the side of a building.

You’ll find QR codes just about everywhere: on outdoor signs and advertising, on product packaging, in print publications, on restaurant tables in lieu of menus, on digital tickets for events and flights. They help avoid manual lookups of information or typing long URLs to access websites; in the pandemic era, they can even help you avoid touching or sharing physical items like food menus or medical office sign-in sheets.

When you see a QR code, you point your smartphone’s camera at the grid, and it automatically captures and scans it. If the code contains a URL link, the link appears on your phone’s screen. By tapping the link, you’re taken to a web page. (If you receive a QR code via email on your phone, you can either print the email or open it on another device, and scan from there.)

How scammers exploit QR codes

Scammers might send you an email or text impersonating a legitimate, well-known business, urging you to act immediately by scanning an embedded QR code. They could, for example, pretend to be a package delivery service instructing you to contact them to reschedule a delivery, a retailer telling you there’s an issue with your account information, or a bank claiming there’s been suspicious activity in your account.

Scammers can also place QR codes in public areas—for example, on parking meters, kiosks, or advertising messages—by creating fake signage or pasting their own fraudulent codes over legitimate ones. There have also been reported cases of scammers placing harmful codes in social media messages and instant messaging apps, and hijacking the "Login with QR code" feature popular among many apps and websites.

Regardless of where you see it, if you click a fraudulent link from a QR code, you could open the door to spyware or malware being secretly planted on your device. Or, if the link takes you to a website that appears legitimate but is actually a scam, you could be risking financial loss or identity theft by entering your login credentials or personal information.

How to protect yourself against quishing

The FTC offers some tips on how to avoid being scammed by malicious QR codes:

• • Inspect the URL before tapping to open it. If you don’t recognize the URL, know that you could be linking to a scam site. Even if the URL appears to belong to a company or organization you know, check carefully for misspellings or other suspicious errors within the URL.
• • If you receive an unexpected text or email containing a QR code—particularly one urging you to act immediately—don’t scan it at all. Even if you believe the message is legitimate, contact the company directly via their verified website or phone number.
• • Keep your devices’ operating systems up to date with the latest security fixes, and use strong passwords and multi-factor authentication on all your online accounts.

Beyond the FTC’s advice on QR codes, it’s important to stay protected in all phases of your digital life. Consider identity and privacy coverage like IDX’s Complete Plan, which offers advanced tools and services to guard against a full range of cyberthreats, and to minimize any damage caused by data breaches.