Is that QR code actually a scam? Here’s what to know about ’quishing’ before you scan

If it seems like QR codes are everywhere these days, that’s because, well, they are.

Thanks to a surge in popularity during the COVID-19 pandemic, these scannable codes are being used by businesses and brands for everything from payments and registrations to advertising and information.

You’ll see them in restaurants in place of paper menus, on product packaging, on signposts, on parking meters — and even on trees.

But with success comes cybercrime — or in this case, QR code “quishing” (think phishing … with a q).

Just this week, the agency in charge of Montreal’s parking meters warned of potentially fraudulent QR codes posted on its signs that might direct people to malicious websites. Last year, a similar warning was issued in Ottawa, and officials warned people who may have scanned them to check their credit card information.

As cases of QR code fraud are starting to pop up, and with some officials warning consumers to take pause, you may be wondering if it’s ever safe to scan those familiar little black and white squares and follow the link.

With that in mind, here’s what you need to know about QR code scams and how to avoid them.

What are QR codes?

QR codes, or quick response codes, are a type of bar code that’s scannable by digital devices like smartphones through their camera lens. They typically contain information, such as a link to a website.

One of the most popular uses is for payment, where the market is expected to reach $35.07 billion US globally by 2030, with a 16.1 per cent compound annual growth rate, according to a 2024 report by Allied Market Research.

But just as the report predicted massive adoption of QR codes for payment, it noted that rising data breaches and security issues limit the growth.

How do the scams work?

It’s called quishing, and experts have warned it can be highly effective when the codes are posted in credible places.

QR code usage is so commonplace, and many users just scan them and hardly pay attention to where they’re going, said Tom Arnold, a cybersecurity expert who lectures on digital forensics and incident response at San Jose State University and the University of Nevada, Las Vegas.

QR codes can be stuck on public signs, defaced websites, phishing emails, text messages and even placed into photo images, Arnold, who is also a digital forensics investigator, told CBC News.

They’re a great way for attackers to hide the URL or location they’re sending people to, Arnold said.

Fraudsters claiming to be a service provider, government agency or financial institution use QR codes in various scams to steal personal information, money or both, the Canadian Anti-Fraud Centre (CAFC) explained in an email.

Similar to fraudulent links or URLs, QR codes can be inserted into emails and texts to direct potential victims to fraudulent or malicious websites, a CAFC spokesperson said.

WATCH | Fake QR codes are popping up on Montreal parking meters:

Have there been many cases?

In 2023, the U.S. Federal Trade Commission warned consumers that scammers are hiding harmful links in QR codes to steal personal information, using everything from parking meters to text messages.

Last year, the Canadian Centre for Cyber Security, part of Communications Security Establishment Canada, issued a similar warning in a publication on security considerations for QR codes, saying there’s a potential for threat actors to leverage QR codes to infect devices with malware, steal personal information, or conduct phishing scams.

The Canadian Banking Association also warns about potential QR code scams.

That said, there haven’t been a lot of cases in Canada, although experts say that could change. The CAFC said it’s had just 10 reports related to QR code phishing since 2024.

CBC News has previously reported on two recent incidents: the parking meters with fraudulent QR codes in Montreal and Ottawa.

And last August, the RCMP in Red Deer, Alta., warned residents of QR code scams, saying in a news release it discovered some recent cases of QR codes that, when scanned, bring the user to a website that contains malware. This malware can obtain your banking information and other sensitive information.

In one case, someone had received a package of luxury goods that they had not ordered, the RCMP said, and when they opened the package, there was an attached note directing them to scan the QR code.

Could it get worse?

Kwasi Boakye-Boateng, deputy director of research and training with the Cyber Attribution Data Centre, located at the University of New Brunswick’s Canadian Institute for Cybersecurity, said he thinks QR code scams are poised to become a major problem.

I wouldn’t be surprised if it’s something that’s catching on now. It’s because no one is paying attention to it. And usually attackers would always find the easiest means to acquire any information that would give them a financial advantage, Boakye-Boateng said in an interview.

It’s also become easy for people to design apps, tools and websites that look legitimate, especially using artificial intelligence, he said.

And if the scammer is well resourced, it may not even be possible to trace it back to them, Boakye-Boateng said. They can cover their tracks.

LISTEN | Could that QR code menu be a scam? (new window)

What are the warning signs?

Experts say you should carefully check the URL of where the QR code is directing you, since that can indicate whether it’s a potential scam. Hovering over the code with your camera without actually clicking will usually show you the link, the CAFC said.

For instance, Arnold said, the URL for a fraudulent QR code that looks like it’s sending you to TD Bank might look like this: tdbank.com/?login%20%20%20%20%20%20%20%20%20mybadsite.com/TDlogin.

Adding a bunch of %20s allows the attacker to hide the fact they’re actually sending you to mybadsite.com, he explained.

Any enticement that uses a sense of urgency is an immediate red flag, Arnold said, such as a QR code to buy last-minute tickets for a concert. In general, any unsolicited message of any type that prompts a user to scan a code should be considered a risk, he said, and lone QR codes that are just stuck on a wall or light post should never be scanned.

Some scammers will place stickers over legitimate QR codes in public spaces, like on parking meters and posters. As a safe practice, try scratching the code or scraping your fingernail over it to see if it might have been pasted on, Boakye-Boateng said.

If you think you’ve fallen victim to a scam, call the police, he said. You have to be very diligent now.

The City of Ottawa issued this image comparing an untampered parking machine label, left, and one with a fraudulent sticker, right. CBC News has blurred the image so the QR code cannot be scanned. Photo: City of Ottawa