Quash the quish: Avoiding QR code scams

As if finding parking in NYC isn’t infuriating enough, imagine getting scammed on top of it.

Unfortunately, that’s the case for many drivers who have fallen victim to QR code scams, also known as “quishing” (QR + phishing). Pay stations often have QR codes leading to legitimate payment apps, but scammers have been altering the codes with their own counterfeit ones, leading unsuspecting victims to malicious sites seeking their personal information.

 Example of counterfeit QR code on NYC payment station (Image courtesy of Reddit)

And it’s not just parking meters. Fake QR codes are increasingly popping up in various locations, waiting for you to unwittingly provide your financial info or gain access to your device. 

What makes QR scams so sinister is that they can be harder to recognize than other phishing attempts since the code itself masks the URL you’re being directed to. Plus, QR codes are used in legitimate businesses all the time, so most people scan these codes without a second thought.  

Where you might see fake QR codes

The most common places where you may encounter counterfeit QR codes include: 

• Public payment machines (e.g., parking lots, Citi Bike, etc.)  
• Restaurants
• Unsolicited package deliveries
• Public flyers and posters
• Phishing emails and text messages
• Social media
• Cryptocurrency-related messages (e.g., Coinbase)
  

How to avoid QR code scams

QR code scams can be tricky to spot, but there are still red flags you can watch out for: 

• Always preview the URL before clicking: Many devices will display a preview of where a code wants to redirect you. Look for any suspicious web addresses or typos, or URLs that do not start with a secured HTTPS address. 

• Check the quality of printed QR codes: Confirm whether a QR code is part of the original signage. Counterfeit QR codes may be affixed as a sticker, and look poorly printed, misaligned, or generally tampered with. 

• Don’t give in to pressure: Think twice before you scan a message that asks you to act urgently (e.g., “Pay now!”)

• Does it make sense? If a QR code seems out of place in the environment you’re in, don’t scan it! 

• Go to the source: Check with a staff member or with an advertised website/app directly if you’re ever wary about scanning a QR code. 

• Don’t use third-party scanning apps: Use your smartphone’s camera in lieu of downloading a QR code-reading app, which may not be secured.

Did you provide your info to a suspicious QR code?

Stay calm and act quickly to protect your personal data: 

• Lock down your accounts: Lock your cards, contact your financial institutions, and change your passwords. Also, consider freezing your credit.
• Disconnect from Wi-Fi: Turn off Wi-Fi and select Airplane Mode to prevent any malware from transmitting your information.
• Look for malware: Use reputable software to scan your device for any malware.
• Tell the affected business: If you run into a QR code scam, make sure you tell the business, which can take steps to prevent the scam from affecting others. 

October is National Cybersecurity Awareness Month, an annual collaborative effort between government and industry to ensure we have the resources you need to maintain your security online. Throughout October, we’ll be sending you tips on protecting your information and avoiding malicious attempts to extract your personal data. Visit its.weill.cornell.edu/cybersecurity for more info.