- Because they’re often used in public places, QR codes pose a noteworthy fraud risk.
- Fraudulent QR codes take you to an illegitimate website designed to con you into providing payment or sensitive information.
- You can avoid QR code scams by using a critical eye to assess both the physical QR code and the destination website.
Though the technology has been around for quite some time, QR codes (short for “quick response codes”) didn’t gain a serious foothold in the U.S. until the COVID-19 pandemic.
An ever-increasing focus on cleanliness saw businesses embrace these two-dimensional, scannable codes as hotel check-in devices, restaurant menu access points and gateways to parking lot payment portals — along with innumerable other applications.
The premise is simple: You scan the QR code with your phone, and the code sends you to a website where you can either perform an action or access multimedia content.
But despite its convenience and flexibility, QR technology comes with one key worry: Codes placed in public spaces pose a security threat to the money and private information of the general public. That’s where Qishing, a scam based on the use of fraudulent QR codes, enters the picture.
Qishing: QR code fraud explained
The word “Qishing” is a play on “phishing,” a scam during which fraudsters use email to get sensitive information from unsuspecting victims.
QR code scams work similarly. A legitimate QR code is replaced with a fraudulent code that directs the user to a scam website. Here, the user is typically prompted to provide either sensitive information (like payment details) or some sort of actual payment.
Take this streak of QR fraud in Austin and San Antonio, Texas for example. A parking meter seems like a fairly logical place to find a QR code, but the codes ended up being a trap designed to collect payment details.
How to protect yourself from QR code scams
As with most modern scams, knowledge and vigilance are essential in protecting your money and information. The more thoroughly you understand how fraudulent QR code scams work, the easier you should find it to avoid them. Sticking to the following steps should provide a solid safeguard.
1. Examine the QR code itself.
Before scanning a QR code, inspect it closely to determine whether it’s been tampered with. If the code seems like it was glued (or attached via some other means) over something else, and not printed as part of a larger document or sign, it may warrant greater caution.
And, on that note, adjust your QR code use based on the environment. A QR code in an outdoor, public space — like the fraudulent parking meter codes in Texas — is likely easier to tamper with than one printed on a restaurant menu.
Still, it’s best practice to scan with caution regardless of where you are.
2. Check the URL for misspellings and other errors.
Scanning a QR code often generates a preview of the destination URL on the camera or scanning app that’s being used.
Before accessing the URL, take a close look at this URL to search for red flags like misspelled words. Also look for terms relevant to the context: If you’re in a restaurant, for example, the restaurant’s name and words like “menu” should likely appear in the URL.
3. Ensure the destination website seems legitimate.
Scammers often try to make fraudulent websites appear as legitimate as possible. That means a QR code might lead you to a website that seems more legitimate than it actually is. Be wary of this and keep an eye out for warning signs like glaring design issues, incorrect logos and poor spelling and grammar.
Likewise, if the landing page directs you to something that immediately requests payment or sensitive information, avoid following any of these prompts until you’re confident you’re in the right place.
Avoid scams with help from First Republic
With QR codes now a part of everyday life for many, it’s important to approach them with the same caution you’d approach any modern technology where scams pose a threat. The best defense combines vigilance with a critical eye and a thorough understanding of how scams work.
First Republic Bank has a dedicated Cyber Advisory Services Team with Information Security to continue promoting Cybersecurity Awareness. Through this dedication, we offer complimentary cyber services, such as our Internet Security Health Check and Cybersecurity Awareness Session. If you think you’re a victim of Qishing, this is one way to take action. For help, users can contact firstname.lastname@example.org.
This information is governed by our Terms and Conditions of Use.