August 4

    minute Read


    Cybercriminals are exploiting the growing popularity of QR codes. Its popularity has inspired cyber criminals into using them to tick people and gain access to their login details and personal information. They do this by hacking, scamming, or causing malware infections on their phones and other devices. 

    What is a QR code? 

    A QR code, also known as a Quick Response Code, is a type of barcode that stores information in a quick-response format. A smartphone can read the data in a QR code using its camera, making storing and accessing information convenient. To use it, point your smartphone's camera at a QR code, and it will automatically direct you to a website. 

    In the 1960s, when Japan's economy entered a period of high economic growth, there was an increased demand for various goods. Denso Wave, a Japanese auto manufacturing company, invented the QR code. Initially, QR codes enabled high-speed scanning and tracking of components during the assembly process. 

    What is QR code Scamming / QR Jacking? 

    Since the pandemic, QR codes have become a popular way for smartphone users to share contact information,  access restaurant menus, and much more. But scammers have found ways that they can socially engineer ‘fake’ QR codes that can be used to manipulate victims into sharing personal information and bank details.  

    How does the QR code scam work? 

    Scammers place a fake QR code over a real one to trick people into giving away their information. They achieve this by having the ‘fake’ QR code send the user to a malicious URL that will use phishing and social engineering strategies in an attempt to exploit unaware visitors. 

    For example, a fake QR code can be put on a parking meter or charging point. Unsuspecting victims use the code to access what is presumed to be a genuine website for payment purposes. However, although the website may look authentic, scammers set it up. When victims enter their bank details to make a payment, the scammer quickly extracts this information and steals money from the victim's bank account. 

    QR code scam: A list of reflective case studies 

    In this article, we have listed various QR code scams from all over of the world. We hope that from reading these reflective case studies, you will be more cautious about what you scan. We will also be sharing dome great QR code safety tips to hopefully help increase your human firewall.  

    Bubble milk tea QR code survey scam 

    A 60-year-old lady from Singapore lost $20,000 to an online scam after visiting a bubble tea shop. The woman was enticed by a sticker on the bubble tea shop's glass door, which encouraged visitors to scan a QR code and fill out a survey for a "free cup of milk tea."  

    This may not seem like a scam to most people, even tech-savvy people, because loyalty and rewards programs often advertise such offers and use QR codes to promote them. According to Straits Times, When the woman went to bed later that night, her phone lit up with a notification from the bogus "survey" app. The app had extracted $20,000 from her bank account. 

    After further investigation, she is not the only victim of the QR scam. In April 2023, the police and the Cyber Security Agency of Singapore warned the public about downloading apps from suspicious sites. 

    Netflix QR code scam 

    A scam QR code that says, "You have won 2 years subscription to Netflix" was recently discovered. Cyber criminals use QR codes to steal personal and financial information from unsuspecting users or redirect them to malicious content and scam sites.  

    The cyber criminal uses the logos and other official Netflix brand features to make their scams appear legitimate. In this case, the scammers use the Netflix brand and its logo. It's important to note that Netflix has nothing to do with this scam. 

    In an attempt to convince people to scan a malicious QR code, scammers are using the offer of a free two-year subscription to Netflix as bait. When a user scans a malicious QR code, they'll be redirected to a malicious URL that checks whether the request is coming from a mobile device, such as a tablet or smartphone. If the validation passed, the website obtains geolocation data for the victim's IP address and then redirects them according to their country. If validation fails, they are redirected to a page which displays an error message. 

    Parking ticket QR scam 

    In the U.S. and U.K., scammers have used QR codes to manipulate their victims into paying them money. In San Francisco, fake parking tickets with QR codes on them were found on drivers' windshields; these links led people to fraudulent web pages where they were asked to enter their credit card information. 

    Martha Gale, who fell victim to a QR code scam, claims she received a large delivery of products she did not order the morning after her daughter parked in downtown Lafayette - US. According to Yahoo News, the woman got a $788 shopping charge after her daughter used a QR code to pay for parking. It appears that the QR code was not actually for the parking lot but a scam.

    In Atlanta - US, a motorist recently had money taken from their bank account after trying to pay for parking using a false QR code stuck to the machine. Cyber criminals were caught putting QR codes on parking meters that directed their victims to a fake website to pay fines. In the U.K., local governments have warned residents about parking meters with false QR codes that direct drivers to fake websites and capture their payment details. 

    Mosque charity box QR scam 

    In Jakarta-Indonesia, cybercriminals are taking advantage of their victims by "printing and pasting QR codes", which have recently been occurring in charity boxes at several mosques in Jakarta. Around 50 fake QR code stickers were found around the Jakarta Istiqlal mosque. The Deputy Head of the Jakarta Istiqlal Mosque Worship Organization, Abu Hurairah, said: "Some of our officers are suspicious. Why is there an inscription on the restoration of the mosque? There are about 50". The police captured the cybercriminal while he was taking action to lure other victims from The mosques in the Kebayoran Lama, Pancoran, Pondok Indah, and Kalibata areas. Despite the fact that the cybercriminal had been caught, Jakarta police officers warned everyone to always be cautious about what QR code they scan. 

    Restaurant QR Code Scam 

    In an unfortunate incident near Pune railway station - India, a 50-year-old woman from Bavdhan fell victim to QR code fraud while attempting to order food from a restaurant. After finding the restaurant's contact number online, she called with the intention of getting the food delivered to her home. The person who answered the call identified himself as a restaurant employee. Subsequently, the suspect sent two QR codes to the woman, instructing her to scan them for making payments towards the food order. Trusting the individual, she complied with the request, only to lose Rs 41,000 in the process.

    The incident occurred in October 2022, and the woman lodged a complaint at Samarth police station. The Pimpri Chinchwad cyber cell verified the complaint and later transferred the case to the Hinjewadi police station, where an FIR was registered on Tuesday. 

    How to spot a fake QR code? 

    The ongoing pandemic has significantly accelerated the adoption of digital payment methods, particularly those utilising QR codes for contactless transactions. While these advancements have facilitated convenient and safe payment options, there has been a concerning rise in scams and fraudulent activities involving fake QR codes. To protect yourself and stay vigilant against such scams, here are some effective ways to identify a fake QR code and exercise caution in your transactions:  

    1. Always ensure to verify the source of a QR code before scanning it. 

    The initial and crucial step is to verify the conditions and surroundings when prompted to scan a QR code. Avoid scanning publicly available QR codes, as they are susceptible to modification by fraudsters. When making payments at cafes or restaurants that accept QR codes, ensure to request a secure link or utilise a dedicated banking app for transactions. 

    2. Check for QR Code Authenticity 

    To distinguish between a fake and genuine QR Code, it's essential to understand the various types of QR Codes in the digital world. Always avoid scanning tampered QR codes that appear distorted or damaged. If you're interested in delving into QR Code technicalities, refer to this comprehensive guide to learn more and identify these codes. 

    3. Verify Redirected URL from QR Code 

    For your digital safety when scanning a QR code, always inspect the redirected URL by previewing the link obtained through scanning. Follow these simple steps to preview the link on an Android device: 

    1. Open the camera app and scan the QR code. 
    2. If unable to scan through the camera app, install a third-party QR code scanner from Google Play Store. 
    3. Carefully examine the obtained link/text. 
    4. To authenticate the page, privately search the link without providing any personal details on the page. 

    On an iPhone, you can use your phone camera to scan the QR code by following this easy guide on how to scan any QR Code. 

    4. Avoid Scanning QR Codes from Emails 

    Many QR code scam victims have reported receiving fraudulent codes through personal email accounts. Scammers often use anonymous or temporary email accounts to send these emails with attached QR codes to avoid detection. To ensure your digital safety: 

    • Never scan any QR Code received via email or junk mail. 
    • If a friend or known associate sends you a QR code through email, request a different mode of payment or a dedicated link for enhanced security. 

    The Key Takeaways 

    We hope that this article has equipped you with the knowledge and awareness needed to shield yourselves from potential QR code-related scams. Remember, vigilance and caution are your allies in the digital world. By taking the necessary precautions and verifying QR codes' authenticity, you can thwart malicious schemes and protect your personal information.  

    At Overt Software Solutions, our commitment to cyber security extends beyond this blog post. If you're eager to bolster your online safety further, check out our popular content on "Become a Human Firewall: 12 Non-Technical Security Tips." Arm yourself with practical knowledge to fortify your digital defenses. 

    Human Firewall, Non technical security tips

    To stay up-to-date with our latest insights and cybersecurity resources, we invite you to follow us on social media and subscribe to our newsletter. Stay safe, stay informed, and let's navigate the digital world with confidence! 


    You may also like