QR codes are utilized for many different functions, but how safe are they??

There are two types of QR codes:

Basic QR Codes 

First generation of QR Codes are still the most common QR codes in use today and since Covid,  many restaurants utilize QR codes for their menus.

These codes can only be used if they are scanned by a cell phone. This is a very convenient method, however… data transmitted using QR codes is not securely encrypted and can be seen by others.

Custom “Matrix” QR Codes

They work in the same manner as the original QR codes do, but they provide us with a comfort factor by confirming the name of the company we are trying to access.


Informational Flow Map Depicting Internet Traffic  

When we access the Internet from any device (laptop, desktop, cell phone), the transfer of data between our device and the website occurs back and forth across thousands of bridges. 

In the diagram, white lines represent links across cell towers and wi-fi hubs.  Yellow, purple, and green lines represent clustered networks of computers (usually in a neighborhood or a region within a town).  The blue lines represent the high-volume bridges that transfer the internet traffic to microwave repeaters and fiber-optic trunk lines that connect cities

Every connection between lines represents a computer or device (a node) that is collecting and transferring data, so you can see the "highway" has lots of places where people could try to intercept what you are sending.

How Scammers Steal Your Identity using QR Codes

  • Scammers have added hundreds of thousands of nodes (computers or devices) to the internet.
  • The scammers use these nodes to watch for QR-initiated traffic between cell phones and financial institutions and big retailers so they can piggyback to collect your login credentials.  
  • Once the scammers follow you, they call you to confirm recent activity on your account,  but slip-in a made-up fraudulent transaction to make you think someone has stolen your identity. 
  • While talking to you, they secretly request a password reset code from the website which is sent directly to your phone.  While they are still talking to you, they tell you they just sent you a code to confirm that you are the true customer associated with the account.
  • Once you repeat the code to them, they secretly enter it into the website and change your password.  From this moment forward, they can use your available credit luntil it is exhausted. 
  • This particular type of QR Code scam occurs thousands of times per hour and has resulted in over a billion dollars of theft already in 2022. 

IMPORTANT:  To protect yourself, access financial institutions only from your laptop or desktop using a direct URL or link to the website.  These links are encrypted and cannot be seen by the scammers.  NEVER click on a link or QR code inside an email with banking. ALWAYS go directly to the bank's website and log in there and DO NOT automatically save your password.


Other scam methods  with QR Codes 

  • Some financial institutions are sending mails with Personal Secure Codes and a QR code that you can scan with your phone to apply online for a new credit card.  
  • The problem with this kind of direct-mail advertising is that if you don’t shred this letter and you end-up tossing it into your trash, anyone can use this letter to request a credit card in your name.  So be careful.  Shred any document that is addressed to you with a QR Code.

  • Another method used by scammers is slapping stickers with fraudulent QR codes at restaurants, at pay to park kiosks and leaving flyers with QR codes for special discounts

How can you tell if a QR code is real?

  • Check if the QR code comes from a trusted source. Don’t scan it if not sure
  • Don’t scan QR codes on stickers. Are they above another sticker or not part of the original poster or placard?
  • Check the URL code preview shown on your smart phone when you start scanning it. If the URL looks strange don’t continue. 

Follow the recommendations to catch phishing emails

  1. Be suspicious of QR codes received vial email, text or social media posts
  2. Access the menu page via the restaurant’s website instead of using the QR code