Sign In
www.google.com Sign In

QR Code Scams

  1. Personal
  2. Support
  3. Financial Wellness
  4. QR Code Scams

QR Codes - Do You Know The Risks?


We've all come to accept and trust QR codes, but how safe are they?  Quick response (QR) codes are small white squares with two dimensional (2D) black markings, similar in look to a barcode. QR codes contain information that can be read by your device through the camera lens. They are used in a variety of different ways, like scanning to see a restaurant menu, or scanning to reach a website for additional information. 

There are three main types of user activities related to QR codes: 
1. Consuming. Users scan a QR code in order to read or review something like a restaurant menu or other documents. This is the most common activity. 
2. Sharing. Users present their 2D code to have their information verified, like an airline boarding pass or lottery tickets. This is becoming common practice. 
3. Generating. Not as common but may occur if an application requires a code to perform an action, such as pairing a smart watch to a smart phone. 
 
Once scanned, the decoded text of the QR code can trigger actions such as: 
  • Opening a website 
  • Downloading an app 
  • Joining a Wi-Fi network 
  • Verifying information 
  • Creating a contact 
  • Sending an email or message 
  • Dialing a phone number 

Are QR codes risky? 

QR codes can contain personal information. They can also execute an action, such as opening a fillable PDF or online form, that prompts you to enter personal information. Once this information has been entered, scanning the QR code will display the stored information on your device. Some online forms also create a QR code once completed. 

By scanning a QR code, you could be susceptible to the following risks: 
  • Tracking of your online activity by websites using cookies, meaning your data can be collected and used for marketing purposes without your consent.
  • Collecting metadata associated to you, such as the type of device you used to scan the code, your IP address, location and the information you enter while on the site.
  • Exposing financial data, such as your credit card number, if you used it to purchase goods or services on the website.
The actions the QR code performs can also pose risks, such as allowing scammers to leverage QR codes to infect devices with malware , steal personal information, or conduct phishing  scams. 

Scammers can gain unauthorized access to a system with a QR code.

Examples include:
Cloning: Fraudsters clone an authentic QR code that redirects you to a malicious site or infects your device with malware to extract your personal data when you scan it. 

Leveraging: Fraudsters use QR codes for phishing and malware attacks. Malicious QR codes can direct users to legitimate-looking websites designed to steal credentials, credit-card data, or corporate logins or to sites that automatically download malicious software onto mobile devices. 

Advertising: Fraudsters place malicious QR codes in public areas with the hopes that people passing by will scan them. 

Quishing: Fraudsters can use a QR code inside a phishing email, or to direct the user to a phishing website which prompts the user to disclose personal information. 

Scanner apps: Fraudsters can use third party scanner apps to spread malware and gain access to some privacy settings on your mobile device, such as viewing your network connections or modifying the contents of your USB storage. You should use the camera built into your device or a secure code reader application to scan QR codes. 

Reducing the risks of using QR codes 

While QR codes aren't inherently dangerous, they're easy to make and therefore easy for scammers to manipulate. 
Follow these tips to protect your information: 
  • Use private browsing mode on your devices and consider using a browser with anti-tracking features. 
  • Be suspicious and carefully verify the website URL if a password or login information is requested after scanning a QR code. 
  • Check browser settings to deactivate cookies and storage of site data. Provide the minimum amount of personal information requested when completing online forms. 
  • Ask for the company’s privacy policy if you’re scanning their code to check in or access a service. 
  • Report suspected fraud or cyber incidents to your local police department, the Canadian Anti-Fraud Centre, or the Cyber Centre. 
How to protect your devices: 
  • Configure your device to ask permission and verification before launching the QR code action. 
  • Close your web browser if the QR code you scanned opened a suspicious site. 
  • Turn on automatic updates for your devices. 
Actions to avoid:
  • Authorizing your devices to automatically execute the QR code action. 
  • Scanning a QR code posted in a public setting, such as in a public transit station or advertisements on the street. 
  • Scanning a QR code if it is printed on a label that could be covering another QR code. Ask a staff member to verify its legitimacy first. The business might simply have updated their original QR code. 
  • Scanning QR codes received in emails or text messages unless you know they are legitimate. 
  • Using QR scanner apps that are released by unknown companies or institutions. 
  • Putting convenience before security. Type in a website URL to view content, such as an online restaurant menu instead of scanning a QR code. 

Monday | July 14, 10:44 AM
This website uses cookies to improve your user experience. By continuing to browse the site you are agreeing to our use of cookies.