How to Avoid Fake QR Code Scams in 2024

Why Trust Techopedia

Think QR codes are always safe? Think again. With QR codes becoming more popular after COVID-19 for payments and logins, cybercriminals have stepped up their game, perfecting the use of fake QR codes through a tactic called quishing.

Want to know how to prevent quishing? Keep reading to learn more.

Key Takeaways

  • QR codes to trick people into visiting dangerous websites designed to steal things like passwords or bank details.
  • Quishing attacks are on the rise, jumping from 0.8% of phishing attacks in 2021 to 10.8% in 2024.
  • Big names like HSBC, Santander, and the U.S. Federal Trade Commission have recently raised alarms about quishing scams. These scams are tricky because they often slip past regular email security.
  • One example is the Microsoft Sway scam, where fake QR codes led to stolen login details.
  • Safety tips include using QR code scanners that show where the link will take you before opening it and educating yourself and your team.

Understanding Fake QR Code Attacks

Quishing, or QR code phishing, is a growing problem as scammers find new ways to trick people. Fake QR codes are now so common that major banks like HSBC and Santander, along with the U.S. Federal Trade Commission, have raised alarms about quishing scams. These scams often manage to sneak past regular email security, making them especially tricky to detect.

Let’s look at two major examples of QR code scams to understand how sneaky and dangerous these attacks can be — and why it’s so important to stay alert and cautious.

Case 1: Microsoft Sway Quishing Scam (August 2024)

In this quishing campaign, attackers used Microsoft Sway, a popular tool for creating newsletters and presentations, to host fake pages with fake QR codes.

How it worked: 

  • The fake pages looked like they were part of Microsoft, which made it easier for people to trust them.
  • People were asked to scan a fake QR code to log into their accounts.
  • Scanning the code led users to a fake login page that stole their usernames and passwords.

This attack targeted the technology, finance, and manufacturing sectors in particular. By using Microsoft’s trusted platform, attackers tricked people into thinking they were on a secure site.

Case 2: Quishing 2.0 Using SharePoint (September 2024)

In this more advanced quishing attack, cybercriminals used multiple trusted services to hide their scam.

How it worked: 

  • Victims received an email with a fake QR code, supposedly from a trusted business.
  • Scanning the code led to a real QR scanning site, which added to the scam’s credibility.
  • Next, people were redirected to a SharePoint page, where they saw what looked like a safe file.
  • Clicking the file opened a fake Microsoft login page designed to capture usernames and passwords.

These cases show how easily QR code scams can look real, making it crucial to stay cautious with any fake QR code that arrives unexpectedly.

Quishing Statistics 2024

Quishing has become a major cyber threat in recent years.

According to quishing statistics from the Egress Phishing Threat Trends Report, hackers are using fake QR codes to trick people by taking advantage of how trusted QR codes have become in everyday life.

The data shows a clear rise in fake QR code phishing over just a few years:

  • 2021: Only 0.8% of email phishing attacks used QR codes.
  • 2022: This went up slightly to 1.4%.
  • 2023: A huge jump to 12.4%.
  • Q1 2024: Attacks with fake QR codes totaled 10.8% of all email phishing attacks – which can only mean that the % will be much higher by the end of the year.

These quishing statistics highlight how quickly hackers have adopted this tactic to carry out more fake QR code scams.

Egress predicts that quishing will remain a threat until companies strengthen their security to catch fake QR codes and the public are more awate of the risks.

When organizations can better spot these scams, quishing statistics might decrease as hackers move on to new methods.

For now, however, it’s clear that fake QR codes are an easy way for hackers to carry out scams, reminding everyone to stay alert and cautious.

How to Prevent Quishing

Knowing how to prevent quishing can help you stay safe from these tricky scams. Here are some practical steps to avoid falling victim to quishing attacks:

Educate Yourself & Your Team

One of the best ways to protect against quishing scams is by learning the warning signs. For both employees and customers, understanding what quishing attacks look like can make a big difference.

Watch out for unexpected QR codes in emails or texts, especially from unknown senders.

Use QR Code Scanners That Show the Link First

To safely scan QR codes, consider using a QR code app that previews the link before it opens. This way, you can check if the website looks legitimate before visiting it.

This tip is especially useful on mobile devices, where QR codes are often scanned.

Create a QR Code Policy at Work

Companies can make quishing scams less likely by creating policies for safe QR code use.

For example, only allow QR codes from trusted sources and train employees to avoid scanning codes in unverified emails.

This can lower the risk of a quishing attack impacting your business.

By following these steps, you can greatly reduce the risk of falling for a quishing scam and keep your information secure.

The Bottom Line

Quishing is a devious phishing trick, where scammers use fake QR codes to steal your sensitive info.

Quishing attacks are rapidly increasing, with hackers slipping fake QR codes into emails, posters, and even trusted platforms like Microsoft SharePoint.

Staying protected means learning to recognize these scams, using QR code scanners to preview links, and always double-checking unexpected codes.

FAQs

How to identify a fake QR code? 

What is a malicious QR code? 

How to avoid fake QR codes?

Can QR codes be dangerous?

How to check if a QR code is safe?

Related How To’s

Related Terms

Maria Webb
Tech Journalist
Maria Webb
Tech Journalist

Maria has more than five years of experience as a technology journalist and a strong interest in AI and machine learning. She excels at data-driven journalism, making complex topics accessible and engaging for her audience. Her work has been featured in Techopedia, Business2Community, and Eurostat, where she provides creative technical writing. She obtained an Honors Bachelor of Arts in English and Master of Science in Strategic Management and Digital Marketing from the University of Malta. Maria's experience includes working in journalism for Newsbook.com.mt, which covers a variety of topics, including local events and international technology trends.