Skip to content

7 Things You Must Know Before Scanning a QR Code

Cybercriminals can exploit the quirky-looking labels that have multiplied during the pandemic

A qr code

Carlina Teteris/Getty Images

En español | They resemble selfies taken by space aliens, but these black-and-white squares have a name: quick response codes, or QR codes. And they're seemingly everywhere these days.

QR codes have grown increasingly common during the pandemic, cybersecurity professionals say, as coronavirus fears have triggered a demand for touchless transactions. You can show a QR code on your smartphone screen to board an airplane or enter a sporting event, or use your phone's camera to scan a code to learn when the next bus is due or to peruse a restaurant menu.

AARP Membership - $12 for your first year when you sign up for Automatic Renewal

Join today and get instant access to discounts, programs, services, and the information you need to benefit every area of your life. 


The codes also appear in direct-mail ads and at retail outlets. Stroll a pharmacy's aisles and you'll see QR codes on packaging for a range of consumer products, from baby food to over-the-counter pain relievers. Scan the code to visit a company's website, get more information about a product, or perhaps even score a coupon or discount.

Danger can lurk behind QR codes

While many of the machine-readable optical labels are trustworthy, some can be downright dangerous. And if you fall victim to a crook lurking behind a fraudulent QR code, you may, in fact, need that extra-strength pain relief.

Here are seven things to keep in mind before scanning a QR code:

1. Fraudsters have used QR codes for years. The codes came on the scene 27 years ago when Japanese automakers used them to track parts and inventory. “Whenever a new technology or a new offering comes out, cybercriminals look for ways to manipulate it,” says Angel Grant, vice president of security for Seattle-based F5 and a certified information-systems security professional. “So we've seen criminals targeting QR codes pretty much from when they were originally put out.”

2. When eyeballing a QR code, remember those lessons from Cybersecurity 101. Just as you should never click on suspicious hyperlinks or download fishy attachments — especially anything sent by strangers — you should avoid suspicious QR codes, which can take you to weird websites or sites that are created to look safe but are nothing but trouble.

"Because QR codes are being used in a lot of new and different ways, they are a natural target for cybercriminals."

Angel Grant, vice president of security, F5

At worst, a crook can download malware or direct you to a fraudulent website to try to steal your money, grab your personal and financial data or log-in credentials, and wreak havoc. Your online financial accounts, peer-to-peer payment apps, contacts, social media accounts and photos are among the things that could be compromised.

3. Criminals have been known to distribute fliers with malicious QR codes or to attach stickers with fraudulent codes over existing, legitimate ones in public places such as bus stops. Consider the criminal who slapped fake parking tickets on windshields and offered the supposed scofflaws the option of paying their fines by scanning QR codes, says Tracy C. Kitten, director of fraud & security for Javelin Strategy & Research. “And when you scan it, malware [malicious software] gets installed on your device to access your personal info and a whole host of other info,” Kitten says.

"QR code abuse closely aligns with phishing attacks...which within the last two to three years have gotten more sophisticated."

Tracy C. Kitten, director, fraud & security, Javelin Strategy & Research

4. Do not trust a QR code that was supposedly emailed by a friend (whose account may have been hacked) or that appeared in a text, online post or mail piece. Instead, use a browser and visit a website using a domain name you know is legit.

5. Avoid using a QR code to pay a bill. There are many other payment methods that are less susceptible to fraud.

6. QR codes may seem harmless, not least because the naked eye can't detect what the codes are programmed to do. So trust your gut, Kitten advises. “If the code is stuck to the side of a napkin dispenser and looks suspect, don't use it. Ask for a menu."

7. Consider adding protection that checks for malicious or inappropriate content, advises Grant, who says many firms, including Sophos Mobile Security and Kaspersky, offer mobile products.

QR codes can come in handy

The bottom line: QR codes can be created quickly and easily, but like other tech tools highjacked by fraudsters, they also serve a legitimate purpose in commerce and everyday life.

A couple of her friends, Grant says, use QR code generators to share their Wi-Fi passwords with guests, “because when their kids’ friends come over, they're always like, ‘Hey, what's your Wi-Fi?'

"So now when their kids’ friends come over, they go over to the refrigerator [where the QR code is placed] and now they're on the house Wi-Fi without having to bother the parents all the time."

Katherine Skiba covers scams and fraud for AARP. Previously she was a reporter with the Chicago TribuneU.S. News & World Report, and the Milwaukee Journal Sentinel. She was a recipient of Harvard University's Nieman Fellowship and is the author of the book Sister in the Band of Brothers: Embedded with the 101st Airborne in Iraq.

AARP’s Fraud Watch Network can help you spot and avoid scams. Sign up for free Watchdog Alerts, review our scam-tracking map, or call our toll-free fraud helpline at 877-908-3360 if you or a loved one suspect you’ve been a victim.

Join the Discussion

0 %{widget}% | Add Yours

You must be logged in to leave a comment.