Fake QR Codes Can Expose Your Phone to Hackers. Here's How to Protect It

NBC Universal, Inc.

QR codes are popping up everywhere – from product packaging and restaurants’ menus to gas stations.

QR stands for "quick response." Scanning the code with your phone's camera will typically open the phone's browser and send you to a website, or even download an instant app for tasks like renting an electric scooter or paying for parking.

But as QR codes become more popular, cyber-security experts have a warning.

“It’s just another way for a hacker to get to your device,” said Alex Mosher with phone security firm MobileIron.

MobileIron recently polled 2,100 phone users in the United States and United Kingdom. It found 40% had scanned a QR code in the past week and 53% would like to see more QR codes. But 71% admitted they couldn't spot a malicious QR code.

“You don’t always know when you’re scanning a QR code if it’s taking you to a site that you can know and trust," Mosher said. "A QR code that’s legitimate, and one that’s not, tend to look exactly the same.”

Mark Kraynak, a former tech executive, says he fell victim. He used a small business' QR code as part of a contact-free equipment rental process.

“It asked for a credit card, and I thought maybe that was part of the payment, but it wasn’t," Kraynak said.

Instead, a $40 charge from somewhere in Eastern Europe appeared. Fortunately, his credit card company caught the con and reversed the bogus charge.

“I was like, ‘I can’t believe I did that,'" Kraynak told NBC Bay Area. "I register for alerts on all my accounts. I tell everyone around me to do the same.”

How is this happening? Mosher says typically, thieves are creating fraudulent QR codes that they just print and paste over a "real" one and wait for you to scan. The malicious codes can take your credit card information, or even open your phone to hackers. So you need to check for tampering before you scan.

“It is somewhat challenging to be able to identify that," Mosher said. "You’re sort of just relying on your own luck to be assured that you’re scanning the right code.”

To protect your phone from potentially harmful, malicious QR codes, experts tell us you should avoid blindly scanning QR codes and always consider the source. If you can, inspect the code itself to see if anyone has tampered with it.

Mosher also recommends adding security software to your phone. It's not a license to scan random codes, but it might help block attacks.

Finally, do what Kraynak did, set up alerts with your bank and credit cards. It's another line of defense that can help protect you from a variety of scams and identity theft.

Contact Us