ITS advice on QR code scams


The following information has been provided by USC IT Services (ITS) to help you keep USC’s information safe — as well as your own.

Quick Response (QR) codes have become a go-to staple for contactless transactions during the pandemic. Companies use QR codes to point consumers to their apps, track packages, or view menus.

Matrix bar codes and QR codes are easily tampered with and can be used to disguise malicious links or direct victims to malicious sites, where cybercriminals can steal data and money and drop malware.

Here’s what you need to be aware of to ensure you’re not a victim.

How QR code scams work

You receive an email, direct message on social media, text message, flyer, or piece of mail that includes a QR code. You are supposed to scan the code with your phone’s camera to open a link. In some scams, the QR code takes you to a phishing website, where you are prompted to enter your personal information or login credentials, which can be easily stolen. Other times, scammers use QR codes to automatically launch payment apps or direct them to a malicious social media account.

How to avoid QR code scams

  • If someone you know sends you a QR code, confirm it is legitimate before scanning it. Whether you receive a text message from a friend or a message on social media from your workmate, contact that person directly before you scan the QR code to make sure they haven’t been hacked.
  • Don’t open links from strangers. If you receive an unsolicited message from a stranger, don’t scan the QR code, even if they promise you exciting gifts or investment opportunities.
  • Verify the source. If a QR code appears to come from a reputable source, it’s wise to double-check the source. If the correspondence appears to come from a government agency, call or visit their official website to confirm.
  • Be wary of short links. If a URL-shortened link appears when you scan a QR code, understand that you can’t know where the code is directing you. It could be hiding a malicious URL.
  • Double-check the URL. Make sure the URL of the site pulled up with a QR code is legitimate. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
  • Watch out for advertising materials that have been tampered with. Some scammers attempt to mislead consumers by altering legitimate business ads, such as placing stickers over the QR code. Keep an eye out for signs of tampering.
  • Don’t download apps from a QR code. Instead, download apps from the application store, which has more security protections.
  • Do not download a QR code scanner app: QR code scanner apps increase your risk of downloading malware onto your device. Use a built-in scanner through the camera app instead.
  • Install a QR scanner with added security. Some antivirus companies have QR scanner apps that check the safety of a scanned link before you open it. They can identify phishing scams, forced app downloads, and other dangerous links.

For more security tips and resources offered by the USC Office of the Chief Information Security Officer, refer to the Trojan Secure website.