02-03-2025
Should You Trust That Random QR Code?
You could probably tell the difference between a real text message and one sent by a scammer. The phishing text likely has a sense of urgency, asks for payment as a gift card and might make you wrinkle your brow at some of the wording. But could you tell a fake QR code from a legitimate one?
Many of us are familiar enough with phishing scams -- where thieves impersonate a trusted sender to deliver a malicious web address -- to steer clear. But it can be significantly harder to recognize QR phishing, sometimes called Quishing or QRishing.
Unlike phishing, in which you can typically see the web address to identify its legitimacy, there's no way to easily distinguish between the QR code for a menu or a parking payment app with one that takes you to a fraudulent site with a malicious download.
The number of QR phishing attempts soared from 0.8% in 2022 to 12.4% in 2024, according to a recent Phishing Threat Trends Report from Egress.
Although you can try to avoid QR codes altogether, there are many times when we have to rely on them to pull up menus or pay for parking.
"To protect yourself from QR phishing, ensure your mobile device's security settings are up to date and use trusted security software," said Lisa Plaggemier, executive director of the National Cybersecurity Alliance.
Plaggemier also recommends that you only scan QR codes from reputable sources, whether on a physical sign, website or email. And if a QR code seems suspicious or directs you to a site requesting sensitive information, stop immediately.
QR phishing or QRishing is a cyber attack that uses QR codes linked to sites that trick users into downloading malicious content or providing sensitive information.
After the victim has downloaded the content, the attackers steal user information such as passwords, financial data and other personally identifiable information, or PII. The information can then be used to commit identity theft and financial fraud.
The trouble is, with QR codes, you may not be able to tell the difference between a malicious code and a legitimate one until you've scanned it. However, use your intuition. If you're at a gas pump and there is a random QR code beneath a questionable sticker, it's likely not worth scanning.
Always be skeptical of any QR codes you see and consider their source. Be extremely suspicious of QR codes in the following places:
Airports
Restaurants
Bus stops
Flyers such as fake parking tickets
Phony emails and text messages
And remember that it's always possible for someone to place a sticker with a malicious code over a legitimate code on a sign, parking meter or other trusted location.
Take a moment to examine public QR codes for signs of tampering. Watch out for QR codes from unsolicited text messages and emails, and be extra cautious of QR codes that promise free goods or prizes.
To avoid QRishing scams, always use a trusted QR code scanner app that includes security features that can detect malicious links. You could try TrendMicro's QR Code scanner, QR & Barcode Reader by Gamma Play or QR Code Reader by TeaCapps.
As a last resort, be sure to double-check the URLs you are being sent before clicking on them. Particularly for URLs that include common misspellings of popular company names or ones that merely contain the name of a trusted company within an untrusted domain name.
If you're the victim of QRishing scam, it's important to report the crime and protect your information. Any information you've given to the scammers may be compromised, including your name, address, Social Security number and financial accounts.
Contact your bank and inform them that your account has been compromised. You should immediately change your passwords, scan your devices for malware and implement multi-factor authentication if you haven't already. Also check your credit reports for fraudulent activity and consider freezing your credit.
Here are some additional resources for victims of QR code scams:
Federal Trade Commission -- The FTC has an online reporting site so that consumers can report fraud. You can also call the FTC's Consumer Response Center at (877) 382-4357 to file a fraud report by phone.
-- The FTC also offers this site to help consumers report cases of identity theft, get a recovery plan and put it into action. You can also call the FTC Identity Theft Hotline at 1-877-IDTHEFT (1-877-438-4338).
Social Security Administration -- The Social Security Administration offers resources for those who have had their Social Security number stolen. You can also report it to the Social Security Administration at or by calling its Office of Inspector General fraud hotline at 1-800-269-0271.
