Don’t get scammed by fake QR codes

Countries like China have been obsessed with QR codes for a while now—an obsession that pre-dates the pandemic. But the US is catching on. We’ve seen a recent uptick in uptake as businesses have looked to strategies that would reduce person-to-person contact. Shops and food trucks have started posting QR codes linking to online menus or even Venmo accounts. But as helpful as they can be in some cases, they come with certain risks. 

QR codes found in public places are transporting more and more people to fraudulent websites run by scammers. The latest trend in this rising new form of financial crime is centered around pay-to-park meters. 

Early in January, the Austin Police department issued an announcement warning residents that “fraudulent QR code stickers were discovered on City of Austin public parking meters. People attempting to pay for parking using those QR codes may have been directed to a fraudulent website and made a payment.” 

Those QR codes—that stands for “quick response,” by the way—are ubiquitous these days. The small 2D square mazes of black and white pixels can carry up to 4 kilobytes of data (around 4,000 characters). They were invented in the 1990s in Japan by Toyota subsidiary Denso Wave to track parts and components during the vehicle manufacturing process. Since then, variants of QR codes have circulated around the world. In these QR codes, “you can embed anything you want. People have put in music files, images, all kinds of things,” says Jason Hong, a professor of computer science at Carnegie Mellon University. “But the most common is a web address.” 

WiFi boxes, instruction manuals, and even lightbulbs can come with a QR code for easy access. “They have them anywhere you need to look up instructions or find some app,” Hong says. 

They’ve actually had slow growth, despite being around for a while. When smartphones blew up, they became more popular. “It used to be the case that you had to download a special app that would use your camera to read these things,” Hong says, but now, most smartphones have built-in software that will translate the camera scan into a link that will load through the web browser. 

[Related: Can smartphone apps track COVID-19 without violating your privacy?]

Yet, Carnegie Mellon computer scientists noted that QR code phishing scams could pose a problem for smartphone users as far back as 2012.

“People have known for a long time that the problem with QR codes is that they’re lacking ‘mutual authentication,’” says Hong, which means that there’s no way to tell if the data or link associated with the QR code is bad, or legitimate. He compares it to seeing a business card someone dropped on the ground that has a web address: “You have no idea where it will take you to.” 

But in most cases, like with instruction manuals or menus, this probably won’t be an issue. “There’s no sensitive data that they would retrieve from you, there’s also no easy way for a scammer to get their QR code onto the instruction manual,” Hong says. 

However, scammers are getting more inventive in how they trick their marks into clicking on bad links. And they’re opportunistic when it comes to low effort, high reward scores. 

It’s very easy to generate a QR code and create a fake website that looks legitimate, says Hong. And since anybody can place a sticker anywhere, scammers can purposefully choose a location that’s convenient for intercepting information. In the parking payment scam, these QR code stickers were planted on top of the parking meters.  

[Related: QR codes are everywhere now. Here’s how to use them.]

The QR code allows criminals to cut a step out of the classic phishing website scam, “because you don’t have to type in the web address yourself,” Hong says.  

“For generic QR codes [that go through smartphone cameras], there’s no way to verify, but the city of Pittsburgh, where I’m at right now, there’s a parking app that you can use,” says Hong. “These apps can check the QR codes… and if it’s not one of the 2,000 codes that it already knows that exists, it can say it’s a fake one. But there’s no way to do that without additional context about what’s legitimate and what’s not.” 

His advice for avoiding these types of scams is to not scan random QR codes that are plastered in open spaces around town—especially those that ask for sensitive personal information or payment. If you do have to offer this type of information, it’s best to go through official city, government, or institutional websites and their approved apps whenever you can.