How to stay safe from the rising QR code scams?

More than 26 million people have been tricked into visiting malicious websites by scanning fake QR codes, which are often posted over real codes in public places like bus stops, gas stations, or on advertising flyers, according to a warning from Panama-based cybersecurity firm NordVPN.

When users accidentally scan, they can have their personal information stolen such as login names, passwords, credit card numbers, and even the device can be installed with spyware, allowing hackers to control it remotely.

The US Federal Trade Commission (FTC) has issued a warning about QR codes printed on packages. A seemingly harmless scan can lead you to a fake website where all your personal data can be stolen with just a few taps.

In the US, the New York Department of Transportation has discovered fraudulent QR codes on parking payment machines, and Hawaii Electric has warned customers about similar tricks to steal electricity bills.

Statistics from cybersecurity platform KeepNet Labs show that currently, up to 26% of malicious links are distributed via QR codes, an alarming number as this form is increasingly popular, surpassing even traditional email phishing campaigns.

The worrying thing is that most users can’t tell the difference between a real and a fake QR code. Fraudsters simply overprint a fake code onto billboards or documents that have the real code, similar to how crooks attach data-stealing devices to ATMs. QR codes were created for convenience, not security, which is why they’re becoming such a powerful tool for hackers.

Experts even consider QR codes to be more dangerous than traditional phishing emails. Because when you scan them, you can't immediately see the web address to check. And this is the reason hacker groups use QR codes to spread malware, attack military systems, or steal device access through remote access malware.

Be especially cautious when scanning QR codes in public. Only use codes from trusted sources, and avoid scanning codes from unknown sources on unfamiliar parcels, billboards, or flyers. What may seem like a convenient action can be an opening for cybercriminals.

How to protect yourself from fraudulent QR codes?

Like many other scams, QR code attacks often take advantage of the victim’s impatience and haste. Therefore, the most important principle to stay safe is to stay calm, alert, and not act hastily.

You wouldn't click on strange links or files in emails, so don't randomly scan QR codes on billboards, electricity poles, flyers, or public places of unknown origin.

In particular, if you see a QR code at the bottom of a poster advertising an event or a brand, search for the event or company name on Google and visit the official page instead of scanning it directly.

When scanning a QR code and being redirected to a website, never enter personal information such as full name, ID number, bank account or password.

Check carefully whether the website address is a familiar domain name such as .com, .vn or not? Or is it a strange extension such as .tv, .top, .xyz, which are often used by scam sites to deceive users?

For Android users, you can install reputable antivirus apps to further protect against malware and fake websites. Additionally, if you are really concerned about the risk of information theft, you can consider using identity protection services. These services can not only help detect and prevent fraud, but also help recover stolen accounts or funds.

As QR codes become more and more popular – from payments to menus to event registration – the risk of being attacked by this type of malware is also increasing. Experts warn that cybercriminals are constantly finding new, more sophisticated ways to exploit QR codes.

So be careful every time you pull out your phone to scan a code. A seemingly harmless scan can have dire consequences, from losing money to exposing personal information to having your device remotely taken over. Caution is key to protecting yourself in the digital age.