Warnings issued in France over rise in QR code scams: How to protect yourself

Fresh warnings have been issued in France about increasingly sophisticated QR code scams that direct victims to fake websites, trick them into handing over personal data, or prompt malware downloads.

QR codes are now commonplace in daily life, being used on menus, adverts, electric car charging ports, and even on genuine letters from companies and service providers. 

Despite their convenience for accessing information, QR codes can be easily hijacked by fraudsters because of their format and remain relatively new compared with traditional texts or emails and associated phishing scams.

As the codes can be scanned directly by smartphone cameras to lead to a website, they can bypass security measures such as anti-virus software. Warnings were given over the codes in 2024.

Hackers are using the codes to target businesses as well as individuals.

What are QR codes and how do scammers use them?

A QR code is a scannable link that directs a user to a website or online page. It is a black and white square with several smaller squares inside, giving a unique pattern. 

Once the code is scanned by a smartphone camera, it directs users to a website, and replaces the need to manually enter the website URL. 

This makes it easier to turn people towards a certain page or piece of information, and in genuine cases can make life easier for both user and code creator.

First introduced in the 1990s, QR codes surged in popularity during the Covid-19 pandemic as institutions sought touch-free solutions, replacing physical menus, enabling contactless payments, and providing quick access to essential information.

Because they are so commonplace, and a ‘fake’ version cannot immediately be distinguished from a real one, scammers quickly started to use them. 

Fraudsters may place a fake QR code over a legitimate one, redirecting users to a convincing but fraudulent version of the original site. This tactic has been seen at electric car charging points, where scanning the code to pay can instead hand over payment - and full card details - to criminals. 

Similar versions of the scam see fake QR codes asking people to pay for (non-existent) speeding fines, linking to a genuine-looking but ultimately fake version of the ANTAI website where these fines can usually be paid. 

In such cases, scammers send an authentic-looking message to an address – sometimes this itself is obtained through another scam – claiming there is a problem and directing the recipient via a QR code to a payment site. 

It is not only ANTAI that is targeted: fraudsters also mimic banks and other major organisations, both official and private, using letters and fake QR codes to appear legitimate.

Elsewhere, QR codes used to provide general information – such as building rules, transport details or menus – can be hijacked by placing a new code over the original, redirecting users to a website that attempts to install malware or other harmful viruses on their device.

How to protect yourself? 

The most effective way to protect yourself is not while scanning a QR code, but before or after. Before scanning, check that the code is genuine. Avoid scanning QR codes from unknown sources, and if one appears in a letter, compare it with similar official documents to confirm it is authentic.

As QR codes direct users to a website, it is up to you to check that the site is legitimate. Look for anomalies on the page – such as spelling errors – and check whether the official branding and images you would expect are present. 

Most importantly, check the website URL. While scammers can create highly convincing copies of websites, they cannot use the genuine address and will have to alter it in some way.

For example, most French government websites end in ‘.gouv.fr’ and will not contain spelling errors elsewhere in the address. If in doubt, open a new browser tab, find the organisation’s official website, and check that its URL matches the one reached via the QR code. This approach is also useful for banks and companies that scammers commonly imitate.

These additional checks are especially important if a QR code links to a payment method, as scanning it could result in bank details being handed to scammers.

If in doubt, contact the organisation directly to confirm the information – for example by calling an official telephone number found through a separate online search, not one provided via the QR code. 

Be wary of any pressure to hand over details, as scare and time-pressure tactics are often used, and if the code leads to a service where you have an account, use two-factor authentication to ensure you are logging in securely.

More tips on vigilance against cybercrime can be found in our article here.