Don't Scan This! How a Simple QR Code Could Hand Hackers Your Bank Details in Seconds

Millions of mobile phone users unknowingly expose their bank details to cybercriminals every time they scan a QR code, as what began as pandemic-era convenience has evolved into sophisticated financial fraud targeting unsuspecting consumers worldwide.

QR codes now dominate life—from contactless pub menus and train station parking payments to museum exhibitions and retail transactions. Yet this digital revolution conceals a sinister reality: criminals are weaponising these seemingly innocent black-and-white squares to harvest sensitive financial data on an unprecedented scale.

The transformation has been startling. What started as a touchless solution during COVID-19 lockdowns has become the gateway for a new breed of cybercrime. Fraudsters create malicious QR codes that mimic legitimate ones, tricking users into disclosing their banking credentials, personal information, and payment details.

Unmasking QR Code Scams: Protect Your Bank Details

However, as these codes grew prevalent in more critical aspects of daily life, such as boarding passes and parking payments, criminals began to exploit their widespread use. 'As with many technological advances that start with good intentions, QR codes have increasingly become targets for malicious use,' said Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant.

'Because they are everywhere — from gas pumps and yard signs to television commercials — they're simultaneously useful and dangerous,' Brewer added. According to Brewer, attackers use these symbols to lure people into visiting dangerous websites or unknowingly sharing personal information, a deception now referred to as 'quishing.'

Rising Threats and Deceptive Tactics

The rising number of QR code frauds prompted a warning from the Federal Trade Commission (FTC) earlier this year.

They cautioned about unexpected packages containing QR codes, which, if scanned, could direct you to a phishing website that steals your personal information, such as credit card numbers, usernames, and passwords. It could also download malware onto your phone and give hackers access to your device.'

This summer, alerts about QR code scams have spread across the US, with both the New York Department of Transportation and Hawaii Electric cautioning their customers to avoid these fraudulent schemes.

Cybercriminals are drawn to this scam due to its relative simplicity: they attach a fraudulent QR code sticker to a parking meter or a utility bill payment notice, then depend on the user's urgency to complete the deception.

'The crooks are relying on you being in a hurry and you needing to do something,' explained Gaurav Sharma, a professor in the electrical and computer engineering department at the University of Rochester.

Rising Threat as Traditional Phishing Declines

Sharma anticipates a rise in QR code scams as the use of QR codes expands. Another factor contributing to their increased popularity among scammers is the implementation of more safeguards to curb traditional email phishing attempts.

A recent study by cybersecurity platform KeepNet Labs revealed that 26 per cent of all malicious links are now distributed via QR codes. Cybersecurity firm NordVPN notes that an alarming 73 per cent of Americans scan QR codes without verifying them, and over 26 million have already been directed to malicious websites.

Future-Proofing QR Codes

'The cat and mouse game of security will continue, and that people will figure out solutions and the crooks will either figure out a way around or look at other places where the grass is greener,' Sharma said.

Sharma is currently developing a 'smart' QR code, known as an SDMQR (Self-Authenticating Dual-Modulated QR), which features integrated security to prevent scams. However, he first requires approval from Google and Microsoft, as they develop the camera technology and manage the underlying infrastructure.

He noted that companies embedding their logos into QR codes isn't a solution, as it can create a false sense of security, and criminals can easily replicate the logos.

Public Apprehension

Some Americans are hesitant about the growing dependence on QR codes. 'I'm in my 60s and don't like using QR codes," said Denise Joyal of Cedar Rapids, Iowa.

'I worry about security issues. I dislike it when one is forced to use a QR code to participate in a promotion with no alternative way to connect. I don't use them for entertainment-type information.'

Institutions are also striving to strengthen their QR codes against unauthorised access. Natalie Piggush, a spokeswoman for the Children's Museum of Indianapolis, which attracts over a million visitors annually, mentioned that their IT department began upgrading their QR codes a couple of years ago to guard against what has become an increasingly significant threat.

Museum Fortifies Defences

'At the museum, we use stylised QR codes with our logo and colours as opposed to the standard monochrome codes. We also detail what users can expect to see when scanning one of our QR codes, and we regularly inspect our existing QR codes for tampering or for out-of-place codes,' Piggush said.

Museums are typically less vulnerable than places like train stations or car parks because scammers aim to collect money from people who are expecting to make a payment. A museum visitor is less likely to anticipate paying, although Sharma noted that even in such environments, fake QR codes can be deployed to install malicious software on a phone.

QR code scams pose an increasing threat to users of both Apple and Android devices. However, iPhone owners might be slightly more susceptible, mainly due to their higher inherent trust in their devices.

A study by Malwarebytes revealed that 70% of iPhone users have utilised QR codes for purchases, compared to 63% of Android users. This often leads iPhone users to take fewer precautions, such as using antivirus tools, as they assume their devices inherently protect them.

Stealthy and Potent Threat

Experts caution that QR codes are easily manipulated to conceal malicious links, frequently by replacing genuine codes on posters or documents.

State-sponsored groups have even employed these scams to compromise military messaging applications and disseminate remote access trojans (RATs). As QR codes seamlessly integrate into daily life, they present a distinct, yet highly effective, low-effort danger – one that cybercriminals are keen to exploit.