Need to know
- QR codes have become a common part of our lives, but scammers are using them to distribute links to dangerous websites
- These URLs are designed to steal people's information by impersonating the websites of government services or major brands
- Watch out for QR codes that come from unexpected sources or request inappropriate information and look for signs that a QR code has been tampered with
How often do you scan a QR code?
These black and white square clusters of pixels became a daily fixture for many Australians during the COVID-19 pandemic and have stuck around since, promising to help us order food and pay for parking, among other tasks.
But could our willingness to whip out our phone and scan any code put in front of us be exposing us to novel attempts to steal our personal information?
With all QR codes looking more or less the same, criminals have been able to abuse our trust in these convenient little squares to covertly distribute malicious links designed to phish for our sensitive details and savings.
On this page:
- What are QR codes?
- How are QR codes being used to scam people?
- Are QR code scams happening in Australia?
- How to avoid QR code scams
What are QR codes?
QR codes are images that provide information when scanned with a camera. This one gives you a link to the CHOICE website.
"A QR code is a clever way of combining a lot of information, a link or a lot of data into a machine-readable format," explains Damien Manuel, adjunct professor of cyber security at Deakin University.
These quick response (QR) codes are a type of barcode, similar to those you find on the bottom of most supermarket products, but can contain more information and are more resilient to wear and tear.
"They can sustain some level of damage," Manuel says. "With a barcode, if you damage it, it's difficult to rescan, whereas you could tear a corner off a QR code and it'll still retain the information."
QR codes have been around for 30 years, but Manuel says the need for contactless registrations and transactions during the pandemic, combined with the spread of camera phones pushed them into our daily lives.
"[COVID] really accelerated them into the mainstream," he explains. "They had always been there, but they became hugely popular and everybody started [scanning them] without any second thoughts."
How are QR codes being used to scam people?
Most QR codes prompt us to open a link to a webpage that pops up on our screen after we scan them with a device's camera function.
Many codes are created by legitimate organisations to connect people with useful services, but experts say our tendency to scan these squares without hesitating is providing an opportunity to scammers.
"It's very easy to just scan a QR code and then click on the link that's generated in that code without really questioning [it]," Manuel says.
Criminals were making their own QR codes and sticking them over legitimate ones on parking meters
CHOICE's UK sister organisation Which? named attempts to phish for sensitive information via QR codes (also known as 'quishing') as one of the top scams to look out for this year. And Australian banks have issued warnings about quishing too.
Which? has reported some Brits have become unknowingly enrolled in expensive subscriptions to obscure apps costing up to $77 per month after scanning QR codes left in public areas.
In some of these cases, victims had scanned the codes because they were trying to pay for parking and believed the stickers had been left for their convenience by a legitimate parking company.
America's Federal Trade Commission last year warned scammers in the US were employing similar tactics to capture sensitive details.
The consumer protection agency said criminals were making their own QR codes and sticking them over legitimate ones on parking meters, or sending them to potential victims via SMS or email.
Scammers overseas have put their QR codes in places where people are expecting to see and use this technology.
Are QR code scams happening in Australia?
QR code scams appear to be less prolific in Australia for now, but criminals are still trying their luck with them in attempts to skim our personal savings and information.
The ACCC tells CHOICE its Scamwatch arm received 28 reports of scams involving QR codes in 2020, with over $100,000 lost.
Last year, there were 56 reports of phishing scams mentioning QR codes, but no financial losses.
However, evidence suggests they're still a force to be reckoned with.
QR code scammers have impersonated trusted institutions such as Medicare. Image: Services Australia
In the last few months, federal government agencies have been warning of scammers weaponising QR codes in attempts to direct recipients to malicious websites via phishing emails.
Services Australia says it's seen scam emails urging myGov users to update their information via a QR code. Scanning the code takes users to a fake myGov site designed to steal personal details.
The agency also shared with CHOICE another 'quishing' attempt which encourages users to scan a code to view their "latest Medicare rebates".
Late last year, the Australian Tax Office reported it had also seen phishing emails containing QR codes leading to malicious sites purporting to come from its officials.
And it's not just government services being impersonated – cyber security firm Mailguard recently drew users' attention to emails containing dodgy QR codes claiming to come from Microsoft.
Because it's hard to tell one from another, [QR codes] provide scammers with an easy way to hide malicious URLs in plain sight
The company says scammers are putting QR codes in these messages in an attempt to get them past email spam filters, which usually check for dangerous URLs.
Damien Manuel says QR codes are also easy to create through myriad online services and, because it's hard to tell one from another, they provide scammers with an easy way to hide malicious URLs in plain sight.
"We're all being trained to look at a link now and go: is there a misspelling that makes it look like it's not legit? But if I send it to you as a QR code, you're probably not likely to spot it," he says.
"[Scanning a code] may show you an abbreviated version of the link [on your device's screen] and you're more likely to, just out of habit, click on it and go straight through."
How to avoid QR code scams
Beware of QR codes in unusual places or from unexpected sources.
"If you're scanning a QR code in a public place, check it hasn't been tampered with," says Manuel.
One obvious example of this would be if a QR code appears to be stuck over the top of an existing sign or code.
"When you are scanning, make sure you stop to think about where [the link] is actually going," he adds, advising to make sure you're on the right webpage before entering any sensitive details.
Scammers often build fake copies of trusted websites to steal your money and information.
If a QR code takes you to a site you've used before, make sure the URL and information on the page is correct. For more, see our seven tips for spotting a scam website.
Neither myGov nor the ATO will ever send an email or text message with a QR code, so treat any communication claiming to be from these organisations containing one as a scam.
The ACCC says to be wary of QR codes from unexpected sources, or codes that lead to pages asking for usernames, passwords, or to access your device's camera or microphone after you scan them.
It also says you shouldn't download any apps onto your device from a QR code, advising to go to an official app store and check reviews left there by other users first.
Have you been affected by a scam or seen one you think people should know about? Email the author.
Stock images: Getty, unless otherwise stated.