GRAND RAPIDS, Michigan — QR code scams surge as holiday shopping season approaches QR codes have become ubiquitous in restaurants, stores and marketing campaigns, but a troubling trend is emerging: most Americans aren't verifying these codes before scanning them, making them prime targets for scammers.
According to the Federal Trade Commission, 73% of Americans scan QR codes without checking the source first. As QR codes have become one of the biggest marketing tools this year, they've also evolved into one of the most popular methods for scamming consumers.
"Most people aren't able to detect when a QR code has been tampered with. But it's a really simple form of an attack, whereas it will take you to a website, a malicious website that you're not actually trying to access," said Mark Dargin, a security strategist with Guidepoint Security.
Dargin warns that the holiday season presents particular risks, as attackers know shoppers are in a hurry and more likely to let their guard down.
Warning signs of fraudulent QR codes
Security experts recommend watching for several red flags before scanning any QR code:
Physical tampering: Avoid scanning codes that appear to have been altered. Scammers sometimes place QR codes on top of legitimate ones, and these may not match the surrounding color scheme or appear to be taped on.
URL preview irregularities: Most smartphones display a link preview before directing users to a website. Check for misspellings or suspicious web addresses before proceeding.
Unsolicited codes: Never scan QR codes received through unexpected emails, text messages or packages.
For maximum safety, consider typing URLs manually into your browser instead of scanning public QR codes.
Steps to take if you've been compromised
If you suspect you've scanned a malicious QR code, Dargin recommends immediate action:
"First thing is change your passwords. That is very, very essential to actually change passwords to banking applications, other critical applications, including social media," Dargin said.
He also suggests taking your device to your local phone provider for analysis. In severe cases, they may need to perform a remote wipe of your device if they determine that a security breach has occurred.
The stakes are particularly high, given the amount of personal information smartphones contain. Additionally, 70% of employers now require employees to use their personal devices for work, meaning both personal and corporate information could be at risk in a single breach.
This story was reported on-air by a journalist and has been converted to this platform with the assistance of AI. Our editorial team verifies all reporting on all platforms for fairness and accuracy.
