QR codes can be convenient, but we’ve seen scammers using them to lure victims to sites and apps designed to steal money and personal information. Because of this, we recommend being cautious about sharing any sensitive information on sites or apps accessed through QR codes. Here’s one more tip: before you click the web link that the QR code displays, read the URL to make sure it’s legitimate.

“QR” stands for "quick response," and QR codes do just that.

Once a smartphone camera reads a QR code, a URL appears. By clicking the URL, the user is transported to a website or app.

Many QR codes provide legitimate links to useful information; you've probably scanned one to get into an event, pay for a purchase, or read a restaurant menu.

But it’s important to know that QR codes can also be used in phishing attacks and other schemes devised to steal money and personal information from unsuspecting people.

In 2022, the Federal Bureau of Investigation (FBI) and Better Business Bureau (BBB) each issued warnings about QR code scams.

As a part of our commitment to keeping you safe from scammers, we’ve got you covered with the latest on this scam type.

How QR code scams work

Although QR codes have been around since the 1990s, their popularity has recently soared. You're likely to see these square barcodes on billboards, product labels, or promotional emails.

Trouble is, anyone can create a QR code for free online — including bad actors. 

Increasingly, scammers are creating QR codes that direct to phishing websites or bogus apps designed to capture money or personal information. Scammers often create malicious websites that only look legitimate on the surface, and QR codes are just one way for them to advertise and lure people to their scam sites.

In addition, these “fake” QR codes may lead victims to download malware that gives criminals access to your files and other sensitive information, such as your location, which they can use to steal your identity. 

Watch out for these common QR code scams

QR codes can be fabricated physically, and digitally as well. Here are some ways criminals may circulate scam QR codes:

  • Phishing emails and texts: You might receive an email or text saying that suspicious activity has been detected on your account and you need to scan a QR code to verify your identity. Or, you might be hit with an imposter scam and get a message from someone claiming to be from a utility company or the IRS, requesting that you scan a QR code to pay off a debt you owe. 

  • Social media ads: These digital ads might feature a special offer or promotion that you “won't want to miss” — and a QR code scan is all it takes to gain access. But really, you're taken to a fraudulent website instead of a legitimate one. 

  • Stickers on parking meters and payment machines: Scammers have been found placing scam QR code stickers on parking meters or payment stations, leading drivers to think they can pay for their spot with a quick scan. In reality, you'll be sending your funds and/or credit card information to crooks. Criminals have also been found placing these “fake” QR code stickers over real ones on restaurant tables and flyers, so be vigilant in these public places as well.

  • Messages designed to steal your crypto: As cryptocurrency becomes more mainstream, scammers are taking advantage. Legitimate cryptocurrency traders often use QR codes to direct people to their digital wallets, and con artists are following suit. Victims often think they're investing in real cryptocurrency, but they're really depositing their money into criminals' wallets.

How to spot a “fake” QR code before you scan 

If you need to scan a QR code, consider these safety tips

  • Read the link. When you hover your camera over a QR code, a URL will likely appear. Make sure it looks like it’s for the business or organization you expected, and check for typos or misspellings. Be extra wary of shortened URLs, which cybercriminals tend to use.

  • Look for tampering. Before you scan a code posted in a public place, carefully examine it. Could it be a sticker covering a real code or other information? Legitimate businesses often laminate signage that contains QR codes or place them behind glass. 

  • Check the source. If you receive an out-of-the-blue communication from a trusted company encouraging you to follow a QR code to make a payment or enter personal information, reach out to the company directly before taking action (be sure to check the company's official website for the correct contact information). The same goes if you get an unexpected QR code from a friend, as they could have been hacked. 

  • Don't be swayed by panic-inducing messages, especially those that urge you to act immediately. This is a favorite trick of scammers, aimed at convincing victims to comply before they’ve had time to consider the situation or discuss it with others.

Always check the legitimacy of a QR code before clicking the link it generates — especially if you’re using it to download an app, make any kind of payment, or share secure information like passwords and usernames.

If you're an Allstate Identity Protection member and would like to add an extra layer of protection, we recommend enabling our device security features, which filters out harmful websites and ensures you never engage with an infected link. To check if this feature is included in your plan, visit your account dashboard any time.

With this in mind, you can still enjoy the convenience of QR codes; just maintain a healthy sense of skepticism.