Fake QR Codes Account for Over 20% of All Online Scams
As digital scams continue to evolve, QR codes have emerged as a gateway for cybercrime, sometimes leading unsuspecting victims into dangerous traps. Known as “quishing,” these scams involve fraudsters tricking individuals into scanning fake QR codes, which then redirect them to fraudulent websites or malicious applications designed to steal sensitive information. The prevalence of QR code-related scams has escalated, with QR codes now accounting for over 20% of all online scams. As a field engineer, I see lots of QR codes while helping our clients set up accounts. While I haven't come across a QR code scam personally, it would be easy to fall victim. The increase emphasizes the need for heightened vigilance. Malicious QR codes pose significant risks to personal and organizational security.
26% of Phishing Campaigns Utilize QR Codes
Data reveals that 26% of phishing campaigns utilize QR codes to embed malicious links. While cybersecurity analyses indicate only 2% of all scanned QR codes are malicious, the true number could be much higher. Only 36% of QR code phishing incidents are accurately identified and reported by recipients, underscoring a significant gap in awareness and detection. Moreover, QR codes appear to be growing in popularity — a reflection of rising consumer demand for convenience in omnichannel shopping experiences. More than 80% of retailers believe offering QR code scanning for product-level information is key to driving customer loyalty. A recent report on the digital shift of retail found that 25% of merchants in the United States plan to offer QR payments in the next three years. Given these statistics, it's crucial for individuals and organizations to exercise caution when interacting with QR codes, ensuring they originate from trusted sources and verifying the URLs they lead to before opening the site.
Ways to Verify a QR Code’s URL Before Scanning
1. Use a QR code scanner app with URL preview.
Many security-conscious apps, such as Kaspersky QR Scanner and Norton Snap, will:
- Show you the full URL before opening it.
- Warn you if it’s a known malicious or suspicious site.
2. Use your phone’s built-in QR preview (when available).
Some smartphones, especially iPhones and newer Androids:
- Display the destination URL above or below the code before taking any action.
- Let you decide whether to open it or not.
3. Scan with a browser extension (on desktop).
If you have the QR code in digital form:
- Use a browser extension, or a website such as qr-code-scanner.com or ZXing Decoder Online, to extract and preview the URL safely.
4. Consider the source of the QR code.
Ask yourself:
- Was it printed by a reputable company?
- Does it look tampered with (e.g., a sticker over another QR code)?
- Is it from an unexpected or suspicious place (e.g., a parking meter, flyer, or public restroom)?
5. Look out for URL shorteners and suspicious domains.
Be wary of links that:
- Use URL shorteners such as bit.ly or tinyurl, as they hide the true destination.
