How to stay alert to fake QR code scams

Older Australians are being urged to take extra care when using QR codes, as scammers increasingly exploit the everyday technology to steal personal and financial information.

The square black-and-white patterns used for quick access to websites, payments and services have become a routine part of daily life. From parking meters and café menus to public transport updates, many people now scan codes multiple times a week, often while in a hurry.

But that convenience is also what makes them attractive to criminals.

First developed in 1994 by Japanese company Denso Wave for tracking automotive parts, QR codes are now widely used because they are easy to create and can be scanned instantly using a smartphone camera.

However, unlike a web link, a QR code does not show where it will lead until after it has been scanned. Once activated, it can open a website, prompt a payment, check a user into a location, or even connect a device to a wireless network.

According to CQ University Head of Technology, Meena Jha, that’s what makes it so useful, but also potentially risky.

“Malicious QR codes can redirect users to fake websites or prompt them to download harmful content,” Jha said.

She added that scammers are relying on the familiarity of QR codes to catch people off guard.

“QR codes are so familiar and widespread, we tend to trust them without question. That’s exactly what scammers rely on.”

One growing threat is known as “quishing” – short for QR phishing. Traditional phishing scams typically arrive via email or text message and attempt to trick people into clicking malicious links. In quishing scams, those links are replaced with QR codes.

“Scammers now include QR codes in emails or text messages instead of clickable links,” Jha added. “When scanned, the code directs users to fake login pages or payment sites.”

Because the destination is hidden, these messages can appear more legitimate and may even slip past some email security filters.

Another risk involves malicious downloads. Some QR codes trigger the download of an app or file that may contain malware, potentially giving attackers access to a user’s device, personal data or online accounts.

Physical tampering is also a concern. Authorities have reported cases of scammers placing fake QR code stickers over legitimate ones in public places, such as parking meters.

When drivers scan the code, they are taken to a fake payment page and asked to enter their card details. Similar tactics have been used on posters, flyers and signage in busy areas.

Even codes that appear genuine may not be safe. Some redirect users through multiple web pages before landing on a convincing but fraudulent site, making it harder to detect suspicious activity.

Experts say older Australians, who may be less familiar with newer scam techniques, should be particularly cautious, but not alarmed.

“The good news is you don’t need to stop using QR codes,” Jha said. “You just need to use them more carefully.”

Simple precautions can significantly reduce the risk of falling victim. Users are advised to treat QR codes like unknown links and avoid scanning them unless they are confident of the source.

“If you wouldn’t click a random link, don’t scan a random QR code,” Jha said.

Checking for signs of tampering is also important. In public places, people should look closely at QR codes to see if they appear to have been altered or covered by a sticker.

Many smartphones now display a preview of the web address before opening it. Taking a moment to review that link can help identify suspicious or unfamiliar websites.

Consumers are also warned to avoid scanning QR codes sent in unsolicited emails or text messages, particularly if they request login details or payment information. Instead, they should navigate directly to the official website of the organisation involved.

“Don’t rush to enter personal details. If a site asks for sensitive information, pause. Double-check you’re on the correct website,” Jha said.

Keeping devices up to date is another key step, as regular security updates can help protect against malicious software and unsafe websites.

While QR codes themselves are not dangerous, experts emphasise that they remove an important layer of visibility.

“They are useful tools that make everyday tasks easier, but they remove a key safety step: the ability to see where you’re going before you get there,” Jha added.

With scams continuing to evolve, the message is simple: slow down and stay alert.