You're trying out a new restaurant and are told to scan a QR code on the table to access the menu. Could you tell if the code is a fake?Â
Unlike with text and email scams, it's much harder to see the difference between a legit QR code and one that takes you to a fraudulent site with a malicious download. And the number of QR phishing, sometimes called Quishing or QRishing, attempts soared from 0.8% in 2022 to 12.4% in 2024, according to a recent Phishing Threat Trends Report from Egress.
Although you can try to avoid QR codes altogether, there are many times when we have to rely on them -- like to pull up menus or pay for parking.Â
What is QR phishing or QRishing
QR phishing or QRishing is a cyber attack that uses QR codes linked to sites that trick users into downloading malicious content or providing sensitive information.
After the victim has downloaded the content, the attackers steal user information such as passwords, financial data and other personally identifiable information, or PII. The information can then be used to commit identity theft and financial fraud.
Protect your personal data and get peace of mind with CNET's top pick for identity theft software.
How to spot a QRishing scam in the wild
The trouble is, with QR codes, you may not be able to tell the difference between a malicious code and a legitimate one until you've scanned it. But there are a few ways you can avoid fakes. Lisa Plaggemier, executive director of the National Cybersecurity Alliance, recommends that you only scan QR codes from reputable sources, whether on a physical sign, website or email. Â
"To protect yourself from QR phishing, ensure your mobile device's security settings are up to date and use trusted security software," she said.
Always be skeptical of any QR codes you see and consider their source. If the QR code is on a restaurant menu the server gave to you, it's likely legit. If the QR code is on a flyer hanging outside the restaurant, be suspicious.
Also, remember that it's always possible for someone to place a sticker with a malicious code over a legitimate code on a sign, parking meter or other trusted location. So before you scan, take a moment to examine QR codes for signs of tampering.Â
Watch out for QR codes from unsolicited text messages and emails, and be extra cautious of QR codes that promise free goods or prizes.Â
To avoid QRishing scams, use a trusted QR code scanner app that includes security features that can detect malicious links. I recommend TrendMicro's QR Code scanner, QR & Barcode Reader by Gamma Play or QR Code Reader by TeaCapps.
As a last resort, be sure to double-check the URLs you are being sent before clicking on them. Particularly for URLs that include common misspellings of popular company names or ones that merely contain the name of a trusted company within an untrusted domain name.Â
What to do if you've already fallen victim
If you're the victim of QRishing scam, it's important to report the crime and protect your information. Any information you've given to the scammers may be compromised, including your name, address, Social Security number and financial accounts.Â
Contact your bank and inform them that your account has been compromised. You should immediately change your passwords, scan your devices for malware and implement multi-factor authentication if you haven't already. Also check your credit reports for fraudulent activity and consider freezing your credit.
Here are some additional resources for victims of QR code scams:
- Federal Trade Commission -- The FTC has an online reporting site so that consumers can report fraud. You can also call the FTC's Consumer Response Center at (877) 382-4357 to file a fraud report by phone.Â
- IdentityTheft.gov -- The FTC also offers this site to help consumers report cases of identity theft, get a recovery plan and put it into action. You can also call the FTC Identity Theft Hotline at 1-877-IDTHEFT (1-877-438-4338).
- Social Security Administration -- The Social Security Administration offers resources for those who have had their Social Security number stolen. You can also report it to the Social Security Administration at oig.ssa.gov or by calling its Office of Inspector General fraud hotline at 1-800-269-0271.
