Skip to main content
Find a DoctorGet Care Now
Skip to main content
Search icon magnifying glass







QR Codes the Target of Latest Scam

First there was phishing, the practice of sending fraudulent communications that appear to come from a reputable source.

While usually associated with email, phishing can also use text messages (smishing) and QR (quick response) codes (quishing). Quishing has gained popularity as legitimate businesses increasingly use QR codes. April Lewis, security analyst, Office of Information Security, Yale New Haven Health, explained how scammers use QR codes to steal personal information and how to avoid falling into the trap.

With phishing, scammers entice a person to click a legitimate-looking link in an email that is actually malicious. That link sends the victim to a site designed to dupe them into entering some type of personal information.

“Quishing works the same way, with the criminals using a dubious QR code,” Lewis said. “When users scan this code with their mobile devices they’re directed to a site controlled by the criminals. They try to trick people into handing over personal information. The goal is the same as email phishing; the criminals are just using a different method.”

She added that today’s scammers can create websites that look nearly identical to genuine sites from companies such as Google, Amazon and Bank of America. When the victim enters their login credentials into the false site, they’re giving the scammers everything they need to access their accounts on the real site.

Lewis stressed that quishing is particularly dangerous because it’s easy to create a custom QR code using generators that can produce a code in seconds for free. Everything from professional posters for major banks to homemade flyers stapled to utility poles can be subject to the quishing scam, according to Lewis. However, there are ways to protect yourself.

“Think before you take out your phone to scan a code,” she said. “Be cautious of QR codes you find in unexpected places. Verify links and look for misspellings in those links. Don’t scan QR codes you receive through unsolicited emails, texts or junk mail and use multi-factor authentication on all your accounts.

“QR codes are not inherently bad,” she added. “Unfortunately, some people have intercepted their legitimate use in their efforts to scam consumers.”