TULSA, Okla. — QR codes are everywhere — on restaurant menus, store shelves, packages delivered to your home, and even on TV shows.
Cybersecurity experts warn that scammers are now using fake QR codes to steal personal information in a scheme called "quishing."
"NordVPN said that 73% of Americans actually scan QR codes without validating whether or not the QR codes are legitimate," said Brian Ledbetter from Guide Point Security.
Quishing is a combination of "QR" and "phishing" - and operate as phishing scams. To steal your information fraudsters replace legitimate QR codes with their own malicious ones. Their goal is to get you to click on the phony QRs to get at your passwords and credit card information, and/or download malware onto your devices.
How quishing evolved
During COVID-19, QR codes became popular because people didn't want to touch menus or other items that others had handled.
Now QR codes are not just common at restaurants for accessing menus and in stores for quick discounts. They're everywhere offering easy links to websites.
Scammers exploit this familiarity by creating fake QR codes that redirect victims to malicious websites. These sites can steal login credentials, trigger malware downloads, redirect payments, or prompt users to enter credit card details on fraudulent pages.
Red flags to watch for
Several warning signs can help identify potentially dangerous QR codes:
- Unexpected QR codes in emails or text messages
- QR codes on the outside of mail or packages you receive
- Signs in stores or restaurants that look cheaply made or appear to have codes pasted over existing ones
- QR codes from unknown or unexpected sources, especially those creating urgency
"Say you go to a parking lot, and the parking lot QR code sign doesn't look like it's very good material. Let's say it's just a piece of paper flapping in the wind. Odds are it might have been tampered with," Ledbetter said.
How to protect yourself
Cybersecurity experts recommend several precautions:
- Verify the source before scanning any QR code
- Preview URLs before entering personal information
- Be cautious about providing sensitive information after scanning codes
- Enable multi-factor authentication for added security on your devices
- Look for signs of tampering in physical locations
"If you believe you've become a victim of a quishing scam, report it to the FBI's Internet Crime Complaint Center at IC3.gov. The FBI will investigate the incident on your behalf, " said Ledbetter.
He also stresses contacting your financial institution immediately if you suspect your credit card information has been stolen. Most credit card companies are generous with fraud protection, and some services like Apple Pay can update compromised cards immediately without waiting for a replacement in the mail.
The bottom line: If something feels off about a QR code, don't scan it.
This story was reported on-air by a journalist and has been converted to this platform with the assistance of AI. Our editorial team verifies all reporting on all platforms for fairness and accuracy.
Stay in touch with us anytime, anywhere --
- Download our free app for Apple, Android and Kindle devices.
- Sign up for daily newsletters emailed to you
- Like us on Facebook
- Follow us on Instagram
- Watch LIVE 24/7 on YouTube
