QR Codes made a huge comeback during the 2020 pandemic when touchless tech became a necessity.
And ever since, they’ve been everywhere —so popular and intertwined in our daily lives that we hardly think twice before scanning one.
But not all QR codes are safe.
Hidden among the legit ones are fake QR codes designed to trick you into visiting malicious sites or sharing your personal information.
It’s important to know which QR Codes you should scan and how to separate these from the fake ones.
In this article, we will help you understand the consequences of scanning a fake QR Code, how to identify and avoid it, and what steps to take if you accidentally scan a fake one.
Are there fake QR Codes?
Yes, fake QR codes do exist.
These are “fake” in the sense that they are designed to deceive. While they look like legitimate ones, these are created to trick users into visiting malicious websites, downloading harmful software, or stealing personal and financial information.
QR Codes have started appearing on everything from restaurant menus to payment portals. Scammers have seized the opportunity to take advantage of this technology for their dirty purposes.
QR code scams have become so popular that a new term, “quishing,” has emerged to describe them. In fact, 22% of phishing attacks in the first weeks of October 2023 involved fake QR codes.
What happens if I scan a fake QR Code?
Scanning a fake QR code can have serious consequences. Understanding these can help you take the right steps to protect yourself if it happens.
Financial frauds
When you scan a fake QR code, you may be directed to fraud websites designed to trick you into making payments or sharing sensitive financial information.
Scammers across some areas of the USA are replacing legitimate parking meter payment codes with fake ones. Such QR Codes lead you to a site that asks for your credit card or bank details as you pay the parking fee.
In some cases, they might promise cashback or discounts to lure you into entering your payment information or you could be misled into sending funds to a fraud crypto wallet. Once you submit your payment information, the scammers can use it for unauthorized transactions or even drain your accounts.
Data theft
Not only your financial data but also your personal details can be stolen when you scan a fake QR code.
Scammers can steal sensitive information, like login credentials, personal details, and device data, or even disclose your physical location for identity theft, phishing, or further fraud. Some fake QR codes might also give hackers remote access to your device.
This allows them to view your contacts, messages, files, photos, and passwords, and may even activate your camera or microphone without your consent.
Malware/viruses
Scanning a fake QR code can trigger the automatic download and installation of malware onto your device.
This happens quickly and often without any visible signs. Once installed, this malware can take various forms. Ransomware might encrypt your files, demanding payment for their release. Spyware could monitor your activities, stealing passwords and personal information over time.
Some malware turns your device into part of a botnet, using it for crypto mining or to launch attacks on other devices. In severe cases, the malware might even make your device unusable.
How to identify a fake QR Code?
Not sure if the QR Code you’re scanning is legit or fake? Watch out for these red flags in a QR Code to spot the fake one.
#1 Suspicious URL/destination page
After scanning the QR code, if the URL looks strange, unrelated to the service, contains misspellings of well-known brands, or uses odd domains (like “.xyz” or “.info”), it’s a red flag. Also, if the destination page has spelling errors, awkward wording, or inaccurate design elements, that’s another warning sign.
Always check the URL before proceeding. Legitimate websites will typically have a secure site address, and the destination should match the service or business you expected. If possible, preview the URL before clicking, and enable safe search to avoid landing on unsecured sites.
#2 Looks physically tampered
Take a moment to inspect the physical appearance of the QR code. Avoid scanning, if it looks like it has been tampered with, like a sticker placed over the original code, visible glue residue around the edges, misaligned edges, or differences in print quality between the QR code and surrounding materials.
Scammers often cover genuine QR codes with fake codes, especially on public signs, posters, or kiosks.
#3 Lack of official branding and design
Businesses, banks, or services will invest in making their QR Codes and other materials look professional and branded. Always check for accurate branding around the code, such as a company logo, slogan, or related design or color schemes. A plain, standalone QR code with no context or branding is suspicious. Trust your instincts if something feels off, it probably is.
#4 Unusual location
If you find a QR code in an odd or unexpected place like on a random wall, a street corner, or even taped to a parking meter, it’s best to verify its purpose with the source before scanning. Scammers often place fake codes in locations where you’re less likely to verify their reliability, like in high-traffic areas or places where people are in a rush.
Moreover, legit QR Codes are usually found in logical locations related to their purpose —on product packaging, at store checkouts, or in official marketing materials.
#5 Typos or unusual fonts
If the instructions around the QR code contain spelling, language, or grammatical errors, or if the text is written in unusual fonts, it’s a warning sign. This indicates that the QR code was likely not created by the entity it claims to represent. Professional companies rarely make such errors in their official communications.
When in doubt, compare the text to official websites or materials from the company to check for consistency and accuracy.
How to avoid fake QR Codes and safeguard yourself?
Here are a few practical tips to protect yourself against fake QR Codes.
1. Verify the source/placement of the QR Code
Before scanning any QR code, take a moment to verify its source and placement. Check for contextual clues. Does it look like it belongs in that location? Is its branding accurate?
Avoid scanning QR codes on flyers, emails, or messages from unknown sources, especially those promising deals that seem too good to be true. If a physical QR code appears tampered with or out of place, it’s best to avoid scanning it.
If you’re unsure, contact the supposed source directly through their official channels to confirm the code’s legitimacy.
2. Use a secure QR Code reader
Always use a secure QR code reader for scanning. Your phone’s built-in camera is often the most secure option.
Even if you need a third-party app, choose one from a reputable developer with high ratings and many downloads. Avoid apps from unknown developers, as they may not have a high level of security and could expose you to risks. Ensure your chosen reader doesn’t automatically open links or download files without confirmation.
3. Keep your device and its security updated
Regularly update your device’s operating system and security to ensure you have the latest protection against potential threats. Updates often include patches for vulnerabilities that hackers may exploit. Turn on automatic updates, so you don’t miss out on important security fixes.
Consider installing an antivirus software that can scan for threats. Run system scans, especially after scanning unfamiliar QR codes.
4. Check for ‘https’ before sharing any info
Before entering any personal information after scanning a QR code, ensure the URL starts with “https://” rather than just “http://”. The “s” indicates that the site is secure and uses encryption to protect your data.
Also, look for a padlock icon in the address bar as another sign of security. If these indicators are missing, do not share any sensitive information and exit the site.
5. Use a secure QR Code generator
If you’re creating your own QR codes, use a trusted and secure QR code generator like Uniqode, The QR Code Generator. Avoid unknown ones that may compromise your data. Look for generators that offer security features, including password protection, expiry, SSO, GDPR compliance, etc.
Keep customization and tracking features in mind as well. Such generators are typically more trustworthy than generic ones.
6. Don’t do any unexpected downloads
If a scanned QR code directs you to a site that prompts you to download an app/file, exit immediately and delete any files that may have already been downloaded
Only download apps from trusted sources like the official app store for your device. Legit QR Codes typically lead to websites or app stores rather than directly downloading files. If a QR code claims to offer an app, manually search for it in your device’s app store instead.
7. Enable two-factor authentication (2FA) for sensitive apps
For added security, enable two-factor authentication (2FA) on any sensitive apps, such as banking, email, or payment apps.
This adds an extra layer of protection by requiring you to verify your identity through a second method (like text message, authenticator app, or call) before accessing your account. Even if someone gains access to your login credentials through a fake QR code, they won’t be able to access your accounts without this additional verification step.
What to do If I’ve scanned a fake QR Code?
If you’ve accidentally scanned a fake QR code, don’t panic. While you can’t undo the scan, there are immediate actions you can take to protect your data and limit potential damage.
1. Close the website/app immediately
As soon as you suspect you’ve scanned a fake QR code, exit the website/app immediately. Don’t interact with anything on the site including any buttons or links, even the ones labeled “Close” or “Exit.” This will help prevent further exposure to potential scams or malware. If possible, clear your browsing history and cache to remove any lingering traces.
2. Disconnect from the internet
Immediately disconnect your device from the internet (Wi-Fi or mobile data). This can help halt any fraud payments in progress and prevent any malicious software from communicating or downloading harmful content onto your device.
3. Report the incident
It’s important to report the incident to the relevant authorities. Contact your bank immediately if you entered any financial information or made a transaction. They can monitor your account for suspicious activity and may even temporarily block it for safety.
Also, consider reporting the scam to local authorities or the cybercrime unit to minimize the damage and help protect others from falling victim to similar scams.
4. Run a security scan
Run a full security scan on your device using a trusted antivirus software. This will help detect any potential threats or malicious software that may have been downloaded after scanning the QR Code. Ensure anti-virus software and security patches of your device are up to date for maximum protection.
5. Change passwords and monitor your accounts
As an extra precaution, change any passwords that might be compromised, starting with financial or email accounts. Use strong, unique passwords and enable two-factor authentication wherever possible. Keep a close eye on your bank statements and accounts for unusual activity, and report any unauthorized transactions right away.
Think twice before you scan the next QR code
While QR codes offer convenience, they can also pose a danger if you’re not careful. Always look for telltale signs to identify if a QR code is fake before scanning. When in doubt, it’s best to avoid them altogether.
If you accidentally scan a fake QR code, immediately close the app or site, disconnect from the internet, and change any necessary passwords. Don’t forget to run a security scan and report the incident to help protect others.
If you’re a business owner looking to keep your customers safe from scams, create QR codes using Uniqode. It is GDPR-compliant and offers enterprise-level security features, including custom domains, Single Sign-On (SSO), user management, password protection, age-gated content, and more.