Fake QR Code Scams (Quishing)

Scammers can create deceptive QR or Quick Response codes that lead to malicious websites, phishing attempts, or unauthorized transactions.  Also known as quishing, t his scam can be difficult to detect because the normal cues for identifying malicious websites are missing from the QR code’s abstract pattern.  Fake QR codes can lure victims to phishing websites that steal personal information, such as login credentials or financial data. Scammers may trick you into downloading malware or viruses by redirecting you to malicious websites through QR codes.

 

Signs of a Fake QR Code

• QR codes applied as stickers on top of the original QR code for a poster or handout.
• QR codes in unexpected or unusual locations, such as on public walls, random flyers, or unsolicited emails or messages. 
• QR codes that ask for sensitive information, such as login credentials, payment details, or personal data. Legitimate QR codes usually do not require such actions.

Prevention Tips

• Only scan QR codes from trusted sources or those you expect to encounter in legitimate settings, such as reputable businesses or official marketing materials.

• Avoid entering sensitive information when prompted by QR codes unless you are confident in the source’s legitimacy. 

• If you suspect a fraudulent QR code has led you to a malicious website, disconnect from the internet or turn off your device's Wi-Fi and mobile data to prevent further unauthorized access or malware downloads.

• Install and run reputable antivirus or anti-malware software on your device to detect and remove any potential threats.

• If you entered login credentials or personal information through a fake QR code, immediately change the passwords for the affected accounts and monitor your financial and online accounts for any suspicious activity. Notify your financial institutions promptly of these activities.  See Identity Theft for additional measures. 
• Implement multifactor authentication (MFA) for those accounts.  See  https://www.cisa.gov/MFA for more about MFA.  See Cybercrime Prevention for more about securing your devices. 
• Report the fake QR code to the business establishments where you encountered it and to the organizations it was posing as. 

• You can report internet crimes, including scams, to the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/ . This will assist in FBI investigations and help prevent others from falling victim to this scam.

References:

• Bruneau, G. (2023, December 6). Revealing the Hidden Risks of QR Codes [Guest Diary]. SANS Internet Storm Center. https://isc.sans.edu/diary/Revealing+the+Hidden+Risks+of+QR+Codes+Guest+Diary/30458/
• Washington Post. (2021, October 7). Are QR codes safe? Retrieved December 21, 2023, from https://www.washingtonpost.com/technology/2021/10/07/are-qr-codes-safe/
• Microsoft. (2023, July 15). Five common QR code scams. Retrieved December 21, 2023, from https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/five-common-qr-code-scams
• Kaspersky. (n.d.). What is a QR code and how to scan it. Retrieved December 21, 2023, from https://usa.kaspersky.com/resource-center/definitions/what-is-a-qr-code-how-to-scan
• Solomon, M. D. (2023, December 11). Phishing, Smishing, Vishing, and Now QUISHING? The Cyber Actor’s Next Attack Vector. International Association of Financial Crimes Investigators, https://www.iafci.org/app_themes/docs/News%20Article/QR%20Quishing%20Article.12.11.2023.pdf