Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×
Search
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

Beware of Fake QR Code Scams

Scanning is convenient, but it’s also risky. Learn how to protect yourself


spinner image a qr code with a pixelated red skull and crossbones in the middle
Photo Collage: AARP (Source: GettyImages)

QR codes, those black-and-white squares you can scan with your phone, have become ubiquitous. Display a QR — “quick response” — code on your phone, and it can serve as your ticket for an airline flight or sporting event. Scan a code to see a menu or learn when the next bus is due.

QR codes increasingly used in ads make it easy to access a website. They’re on product labels and business cards. Scanning a code might lead you to a page with more information or a coupon. It also could lead you to malware.

Using a QR code could allow a criminal to direct you to a fraudulent domain where they try to steal your money or grab your personal and financial data or login credentials.

How scams work

QR codes have been around since the ’90s. They became more prevalent with the use of smart phones and really took off during the pandemic, when restaurants and other businesses embraced contactless technology, says Jennifer Pitt, senior analyst at Javelin, a research and advisory firm.

QR codes can make reaching a website hassle-free. The problem is the naked eye can’t detect which codes are genuine and which are the work of scammers. QR codes can be created quickly and are cheap to distribute. “It’s ridiculously easy,” Pitt says, and that makes them an effective tool for criminals. 

Common fake QR scams

Tampering with legitimate codes. Criminals may create a QR code and print it on stickers they will plaster anywhere. “They’d put a sticker over a legitimate QR code on the parking meter, and you’ll be sending the money to them,” says Steve Weisman, a law professor at Bentley University in Waltham, Massachusetts, and editor of Scamicide.com.

Printing fake QR codes on flyers. Restaurants often use QR codes instead of menus, and criminals may scatter their own QR codes there, at other businesses or public places, hoping you’ll go to their impostor site.

Including fake QR codes in emails or texts. Criminals include a code for you to click on in the body of a message. This is the most common QR scam, according to Weisman. “We’ve seen it with tech support … they (try to) get personal information or a payment,” he says. Scammers pretend to be a business, such as your bank or Netflix, and tell you there’s a problem with your account and you must act immediately. They give you a QR code purportedly to access the business they’re impersonating. Since QR codes displayed on your phone serve as admission to sporting events and concert venues, criminals may sell you phony sports or concert tickets.

Printing and mailing. Scammers may send you a letter through the Postal Service with a QR code offering loan forgiveness, demanding you pay a bill or offering big discounts.

spinner image cartoon of a woman holding a megaphone

Have you seen this scam?

  • Call the AARP Fraud Watch Network Helpline at 877-908-3360 or report it with the AARP Scam Tracking Map.  
  • Get Watchdog Alerts for tips on avoiding such scams.

How to protect yourself from QR code scams

Consider the source. If you want to scan a QR code in a magazine article from a publisher you’re familiar with or on the website of a company you do business with, “I think they are generally safe,” says Kathy Stokes, director of fraud prevention at the AARP Fraud Watch Network. “Those found in the real world — restaurants, flyers and the like — are easily manipulated to send you to a nefarious website.”

Use a search engine, not a QR code. If a restaurant wants Pitt to use a QR code to read the menu, “I take out my phone, and I go to that restaurant’s website myself,” she says. Stokes agrees: “When in doubt, opt for another means of engaging with the content.”

Check for stickers. Even if the QR code is displayed in a secure environment, such as a business or bank, you need to make sure that no one has tampered with the genuine code by placing a sticker over it, Weisman says.

Verify senders. If you’ve been sent a QR code to use, locate the phone number for the business from a trusted site. “You have to confirm they’re legitimate. People, unfortunately, have to get into that habit,” Weisman says. Even if you think the message came from a friend or family member, call and ask if they sent it and whether they verified that the QR code is safe to scan, Pitt says.

Update your phone’s OS. The Federal Trade Commission (FTC) recommends you keep your phone’s operating system up-to-date and set up strong passwords and multifactor authentication. 

Add protection to your device. Consider antivirus software.

Video: 3 Things to Never Do With a QR Code

Where to report problems

File a complaint online to the FTC, which has information on fake QR codes.

You can also report scams to the FBI’s Internet Crime Complaint Center (IC3).

Call the free AARP Fraud Watch Network Helpline, 877-908-3360, to speak with trained specialists who can provide support and guidance on what to do next and how to avoid scams. The AARP Fraud Watch Network also offers online group support sessions.

Editor’s note: This story has been rewritten with new interviews and advice.

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member?