Skip to main content

Hackers Use QR Codes to Steal Your Money

The use of QR codes rose during the pandemic and hackers took advantage of the opportunity to steal financial data.
  • Author:
  • Publish date:

QR codes with their square barcode regained their popularity when the pandemic began because consumers found them easy to use and businesses did not have to worry about contamination from contact.

Many companies, especially restaurants started using QR or Quick Response codes and swapped them out for menus since customers could scan them from their smartphones within a few seconds. Other industries adopted QR codes for coupons, bills or to learn more information about a topic or person. Coinbase ( (COIN) ), the cryptocurrency exchange platform, even shelled out nearly $14 million for a 30-second Super Bowl commercial in January that only featured a QR code.

As demand for QR codes rose, cybersecurity criminals also noticed the opportunity to steal personal or financial data from a consumer and earn a quick payday.

“Anything consumers will use and trust will eventually be used by hackers,” John Bambenek, principal threat hunter at Netenrich, a San Jose, California-based digital IT and security operations company, told TheStreet. “Criminals will use anything they can to steal a buck.”

Hackers are tampering with QR codes because their use has become widespread and tampering with them is simple, Hank Schless, senior manager, security solutions at Lookout, a San Francisco.-based security service edge provider, told TheStreet. Some contain malicious links embedded with malware so cybercriminals can easily obtain your data such as credit card information or social security number.

QR codes have made a resurgence since the pandemic, including event registration. They are just “another tactic hackers are using to get past traditional security services much like smishing where fraudulent text messages are sent from what appears to be a real company or phishing in Microsoft Teams, and Zoom,” Patrick Harr, CEO of SlashNext, a Pleasanton, Calif.-based anti phishing company, told TheStreet.

How To Scan QR Codes Safely

Consumers believe scanning QR codes are harmless, but they are actually “inherently untrustworthy,” Casey Ellis, CTO at Bugcrowd, a San Francisco-based crowdsourced cybersecurity company, told TheStreet.

“COVID has brought them into use cases where they are highly trusted,” he said. “Once you've gotten used to scanning a QR without thinking about it from a security standpoint, it becomes a pretty attractive payload delivery vehicle for attackers.”

Fraudsters are often one step ahead and devious in their strategies to lure unsuspecting people into scanning or clicking on a link. QR codes are used to sign into accounts, exchange contact information and make money transfers or provide contactless pay options.

QR phishing attacks are on the rise because they require so little effort to be successful. For one, the codes are physical displays, meaning a harmless one can easily be covered with a nefarious one that brings users to a malicious website. This makes it easy for cybercriminals to “display” the legitimate site that steals login credentials or installs malware.

Phishing is a common type of threat where hackers pretend to send emails from legitimate companies and ask for personal data.

“Threat actors have found that QR codes are one of the most effective ways to deliver malicious links so you need to understand that while QR codes make contactless interactions seamless, they also make it easy for attackers to send you malicious links,” Schless said. “Once a credential is stolen, it makes it easy for attackers to steal personal and corporate data alike.”

Scroll to Continue

TheStreet Recommends

Cramer Deciphers QR Codes

Always check the URL on the notification before clicking to be redirected, he recommends.

“If the URL does not look like a trusted source or differs from the known company’s URL, exit out of the notification,” Schless said. “I strongly recommend that you think about QR codes the same way you think about other phishing tactics like email scamming and social engineering.”

Attackers and pranksters have printed counterfeit QR code stickers and put them on top of existing QR codes, Ellis said.

“Having a quick look to see if the QR code looks out of place, seems to be a sticker when it shouldn't be, might help folks avoid risks,” he said.

Avoid These Tasks From a QR Code

QR codes are often used to present information and help consumers avoid typing in long strings of data such as account numbers legitimately. People should “exercise additional caution when being asked for sensitive information like credit card details, passwords and personal identifiable information,” Ellis said.

The FBI warned consumers in January that criminals were using QR codes to steal data, embed malware to gain access to the victim's device and redirect payment for cybercriminal use. Recovering money after it has been transferred can not be guaranteed, the FBI said.

“A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information,” the FBI said. “Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.”

Consumers should avoid downloading an app from a QR code and instead use the app store for a safer download, the FBI said. Another scam involves receiving an email stating a payment failed from a company where a recent purchase was made. If the company states “you can only complete the payment through a QR code, call the company to verify,” the FBI said.

Sun Hung Kai Properties subsidiary Sanfield Construction monitors the quality of concrete used in the developer's projects using QR codes. Photo: Handout

Avoid downloading QR readers from a QR code because it is often a trick used by scammers “just like getting people to download fake antivirus on their laptops where the download app is actually malware,” Brian Contos, chief security officer of Phosphorus Cybersecurity, a Nashville.-based IoT security company, told TheStreet.

“It's a good practice not to download anything from a QR code scan,” he said. “Be skeptical and don't share sensitive information unless you are sure it's legitimate. A sticker or flier on a light pole should be sounding an alarm in your head. If someone is requesting a payment, on a parking ticket for example, you can trust that there are going to be multiple methods for someone to pay.”

One method that is gaining popularity is using QR codes for parking meters. The bar codes direct users to a website where they can enter their payment information or download an application to pay, Alex Hamerstone, director of advisory solutions at TrustedSec, a Strongsville, Ohio-based ethical hacking and cyber incident response company, told TheStreet.

“A scammer can create a QR code that directs to their scam website that looks authentic, print stickers with that QR code and place the stickers over the legitimate QR code to send users to their scam site and collect their bank and credit card information or other personal data.”