6 best practices to mitigate risks of QRC fraud

Quick response codes (QRC) have been around for some time now but since the pandemic began, QRC use has grown in both good and bad ways. Because of their contactless and mobile-first nature, we see them popping up everywhere—from restaurant menus to packing labels, boarding passes to parking meters, business cards to discount codes, payments and elsewhere. An efficient tool that helps bridge the gap between digital and physical experiences, QRC payments alone are expected to hit $2.7 trillion globally by 2025.

As with all things digital, QRCs are susceptible to fraud and manipulation, opening a new pandora’s box for cybercrime. The FBI is now warning of increasing malicious activity surrounding these black and white, square barcodes.


Scanning a QRC is super quick but never flagged by security software. Users are mostly not aware of how swiping a scan can trigger unexpected actions, such as taking the user to a malicious website where they may be prompted to download a file or an app, initiate a phone call, make a payment, personal and device information, reveal the user’s location, connect to a Wi-Fi network, post a tweet, or follow a social media account. All these scenarios are possibilities when a QRC is scanned.

What’s worse, a majority of users cannot identify a malicious QRC but still consider it a safe mechanism for financial transactions.

QRCs are highly versatile. A number of our customers have identified and reported phishing scams associated with these barcodes. Reports include the use of fraudulent QRCs on pay and park stations; phishing emails containing QRCs offering access to missed voicemails; phishing emails attempting to steal banking credentials; and the hacking of Office 365 accounts. There have even been examples of fraudulent student loan letters directing users to malicious websites and scams involving cryptocurrency ATMs and fake bitcoin QR generators.


Similar to phishing and social engineering scams, organizations should ensure their users are aware and alert to potential QRC scams. Organizations can adopt these best practices to minimize any damage:

1. Train users to think before they scan.

It’s crucial that users undergo regular security awareness training and simulation tests to stay updated on the latest phishing scams and techniques. Teach users to be cautious of emails that contain QRCs and to verify their legitimacy. Train users to be aware of the authenticity of URLs (especially shortened ones) before proceeding. Look for phone notifications that indicate an action a QRC will perform and avoid entering credentials after a QRC scan.

2. Update policies and procedures.

Employee anti-phishing policies should provide clear guidelines on how to deal with QRCs and highlight personal responsibility in keeping the organization safe from cyber threats. Users should understand that when malicious QRCs are brought into a corporate environment via mobile devices, they have the ability to compromise the organization’s network and data.

3. Encourage users to use password managers and QRC scanner apps.

When an employee scans a malicious QRC and is directed to a fraudulent website, password managers will recognize that it’s a fake URL and will not auto-fill their passwords. This can serve as an additional layer of security. Also, using a good QR scanner app can help verify the URL before the user is taken to the site.

4. Use multi-factor authentication.

Applying multi-factor authentication to user accounts can help provide an additional layer of security and protect credentials from being stolen during a QRC scam.

5. Set up alerts with banks and credit cards.

Financial theft is the typical endgame of a QRC scam. Setting up transaction alerts with your bank and credit cards is another layer of defense that organizations can put in place to protect themselves from financial fraud and identity theft.

6. Leverage a zero-trust approach.

Zero-trust technology limits the access employees and devices have to network, data, and resources. This helps significantly reduce the attack surface and the potential damage a malicious QRC can inflict.

Remember that awareness and education is critical when it comes to QRC security. Teaching users to be mindful and vigilant whenever payments, credentials, or personal details are involved can significantly reduce business risk and greatly bolster the overall security posture of the organization.

Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.

Leave a Comment