Last month, the FBI reiterated the dangers of “juice jacking,” an alleged practice wherein bad actors steal data or install malware on your smartphone through public chargers. The problem is, there have been no documented cases of juice jacking in the wild, which might lead some to consider digital security warnings, say, about QR code scams, as yet another tech moral panic.
However, QR code scams are real, and you should be vigilant. But you shouldn’t freak out about them.
QR code scams in the news
Recently, QR code scams have been making news. As reported by Bleeping Computer, scammers stole $20,000 from a woman in Singapore after she scanned a QR code purporting to be a survey for her local bubble tea shop. The ad promised a free cup of milk tea for completing the survey, so she scanned, and subsequently downloaded an app when prompted in order to take the survey. As you may have guessed, that app had nothing to do with the bubble tea shop. It had everything to do with installing malware on her phone, and it stole $20,000 directly from the victim’s bank account.
Redditor hamsupchoi posted to r/sanfrancisco last week to warn other city residents about a fake parking ticket scam they caught. Their “parking ticket” looked legit at first glance, but sported a city seal, something a real parking ticket wouldn’t, and the QR code to “pay online” actually gave up access to the victims’ bank accounts.
And the Better Business Bureau highlighted a FAFSA scam in which bad actors trick you into thinking they can help you pay down your student loans. A QR code “helpfully” takes you to the official “studentaid.gov” site, but, of course, none of it is real, and all the money you pay to the site goes to the scammers, not toward your loans.
How QR code scams work
For the most part, there’s very little risk to simply scanning a QR code alone. Where the danger comes is what you do after scanning the code. Scammers might design their QR code to install a malicious program on your device, with the goal of stealing data or running ads in the background. But they also might draft a website that looks like an official site, but actually steals information like your login credentials.
Consider one of the examples above: The victim scanned the QR code at the tea shop, which lead her to a prompt to download a third-party app to her phone. This is red flag number one: Do not download an app from a QR code unless you are 100% sure the organization behind the code is legit. This is the first entry point for bad actors to get into your phone.
However, the app alone would not have been able to steal the $20,000 from the victim. Once she opened the app, it asked for permission to use her phone’s microphone and camera, as well as Android Accessibility Service. That last permission allows an app to take control of the screen for accessibility purposes, but, to bad actors, it’s a way into the victim’s life. From there, they were able to scrape the login credentials from the victim when she used her banking app, allowing them to access their finances without the victim’s knowledge. Yikes.
In another scenario, a QR code might lead to a website you believe to be legitimate, where you’d be prompted to enter your username and password—but when you try to log in, nothing happens. That’s because the “site” is actually fake, existing for the sole purpose of learning your login credentials. If a QR code is purporting to take you to a site where you have an existing account, like Amazon or your bank, navigate there yourself instead—or at least confirm that the URL doesn’t look sus.
How to safely scan QR codes
So, are QR codes too dangerous to scan? Not at all. Even as the world goes back to normal post-COVID and you can actually hold a real menu in a restaurant again, QR codes are everywhere, and many of them are legitimate. They have their uses, and there are ways you can be safe when scanning them.
We covered some good tips for staying safe when scanning QR codes in this piece. For example, it’s good practice to distrust any QR code you come across. QR codes are easy to make, so bad actors could place them in spots they hope people will scan them without thinking twice.
Also, if you know where the QR code is trying to take you, like a restaurant menu or a business’ website, try going there yourself without the QR code. In some cases this won’t work, but it’s easy enough to Google the name of a restaurant and find their menu. Just make sure you don’t fall for a fake Google ad disguised as a legitimate link. (Scammers are everywhere, people.)
But with the rise of QR code scams in the news, I think there’s room for another tip to protect yourself when scanning. Do not give permissions for anything after scanning a QR code, and don’t download apps or files when prompted. 99% of the time, whatever is on the other end of that QR code does not need access to your phone’s camera, microphone, location, or, worst of all, accessibility functions. The menu at your favorite restaurant will do just fine without any of that, and bad actors won’t be able to run their scams if you don’t give them the opportunity to do so. Read all pop-ups carefully, and don’t agree to anything you don’t understand or aren’t comfortable with.
With this approach, scanning QR codes instantly becomes so much safer. If you scan something that asks you to grant permission to your accessibility settings or to download a third-party app to continue, back out, go about your day, and take pride in knowing you just ruined some wannabe hacker’s afternoon.