QR Codes Now Take 20% of All Online Scams

As digital scams continue to evolve, QR codes have emerged as a new gateway for cybercrime, often leading unsuspecting victims into dangerous traps. Known as “quishing,” these scams involve fraudsters tricking individuals into scanning fake QR codes, which then redirect them to fraudulent websites or malicious applications designed to steal sensitive information.

In an interview with PYMNTS, Greg Hancell, fraud expert at Lynx Tech, offered advice to consumers about this growing threat.

“QR code scams are different from other cybercrimes as they are harder to identify,” Hancell said. “QR codes cannot be read by humans, meaning victims cannot know the link destination until it is too late. Many individuals now have an awareness of how to identify phishing or smishing scams, however, as QR codes are relatively new — now accounting for more than 20% of all online scams — victims are more susceptible.”

Where Fraudsters Hit

Scammers typically exploit this vulnerability by replacing legitimate QR codes with fraudulent ones, Hancell said, tricking individuals into scanning them and unwittingly sharing sensitive data. Common scenarios where these scams occur include everyday activities such as paying for parking or ordering at a restaurant. In these cases, fraudsters place counterfeit QR codes in public spaces, leading unsuspecting victims to malicious websites designed to steal personal details, payment information, and login credentials.

“Replacing authentic QR codes with false ones is the most common way scammers trick individuals into providing sensitive information,” Hancell said.

To avoid falling victim to these scams, Hancell said it’s important to know how to spot the red flags of a fake or manipulated QR code.

“One telltale sign is that physical tampering with QR codes is often visible — look for signs of stickers placed on original codes, as well as codes that appear damaged or partially covered,” he said. “The quality of the code itself can also indicate fraud. It’s also important to use general awareness and consider context, alongside visual indicators. If a QR code appears in an unusual location for example or is paired with pressuring messaging like ‘Scan immediately to avoid fees,’ that’s a red flag.”

While machine learning and artificial intelligence can help detect and prevent financial fraud, Hancell said, it’s important for consumers to safeguard their devices when scanning QR codes.

“What they can stop is life-changing amounts of money from leaving victims’ bank accounts,” Hancell said. “Using daily adaptive AI models, financial institutions can detect the latest fraudulent techniques and identify illicit transactions leaving victims bank accounts with a high success rate. This means if an individual does fall victim to a QR code scam, they are financially protected by their bank, which has access to the data that can identify unusual and fraudulent activity.”

How to Safeguard

Given the rise in QR code scams, it’s crucial for consumers to take proactive steps to protect themselves.

“To ensure safety when scanning QR codes, individuals need to verify the source of the code,” Hancell said. “It’s crucial to ask: Is the QR code from an official website or establishment? Does it look tampered with?

“Once verified, consumers should check the URL before proceeding to ensure it leads to a legitimate and secure site. Using tools like VirusTotal to scan the URL can also help identify potential threats. If the code leads to a payment gateway, consumers should cross-check the website’s authenticity using a service that verifies domain registration and duration. Websites with newly registered domains or those that seem suspicious should be avoided.”

While personal precautions are vital, businesses also have an important role to play in educating their customers and minimizing the risks associated with QR code scams, Hancell said.

According to the PYMNTS report, “Navigating Big Retail’s Digital Shift: The New Payments Strategy Evolution, in collaboration with ACI Worldwide, 25% of merchants in the United States are adding or planning to offer QR payments in the next three years. The figure increases to about 28% of U.K.-based merchants. This trend, the report adds, reflects consumer demand for QR codes in omnichannel shopping experiences. More than 80% of retailers believe offering QR code scanning for product-level information is key to driving customer loyalty.

“I would urge organizations to reconsider relying solely on QR codes for payment processing due to the high level of risk involved,” Hancell said. “QR codes often lack adequate protection against tampering, making it difficult for businesses to monitor them consistently.

“As a result, offering a variety of payment options is essential, as it allows consumers to choose safer alternatives and reduces their vulnerability to fraud. One way businesses can enhance QR code security is by using more advanced, encrypted codes, such as Cronto’s color QR codes, which ensure that only the intended device can read the code. Financial institutions should consider adopting such technology to offer more secure and tamper-resistant payment methods, further protecting their customers from fraud.”