Fake Google Pay QR codes designed to transfer money from victims to scammers are increasingly being used in fraud schemes. Scammers often trick victims into scanning these codes under the pretense that they will receive money, not realizing that the action actually initiates a withdrawal from their account.
In the crypto space, scammers also use this codes to redirect users to malicious websites that harvest personal wallet information or trick users into granting permissions to harmful smart contracts.
How the QR Code Scam Works
This scam exploits simple human errors and a lack of understanding of how QR-code payments function.
The “Receiving Payment” Trick
Scammers frequently claim that a QR code must be scanned to receive money, such as payment for an item sold online.
In reality, scanning the QR code generates an outgoing payment request. Once the victim approves the request and enters a PIN, money or cryptocurrency is transferred from the victim’s wallet to the scammer’s. Legitimate payments never require scanning a QR code to receive funds.
Fake Login Pages
In some cases, the QR code redirects users to a fraudulent website designed to imitate a legitimate crypto exchange or wallet service. Victims are then tricked into entering sensitive information such as passwords, private keys, or recovery phrases. Scammers use this information to gain access to and drain the victim’s real account.
Hidden Token Permissions
More advanced scams use QR codes to trigger requests for token approvals or unlimited spending permissions. By approving these prompts, users unknowingly grant scammers ongoing control over their tokens, allowing transfers without further consent.
Malicious Software Installation
Although less common, some QR codes can initiate the installation of malware on a device. This malware may collect sensitive data stored on the phone, further exposing victims to financial loss and privacy breaches.
Ways to Protect Yourself from the QR Code Scam
Don’t Scan QR Codes to Receive Funds: Remember the golden rule—QR codes are used to initiate actions or send funds, not to receive money.
Check the Source: Be cautious of QR codes sent via unknown emails, text messages, or social media platforms, even if they appear to come from a friend or a well-known organization.
Verify the URL:
If a link appears after scanning a QR code, carefully inspect the URL for spelling errors or inconsistencies. Legitimate websites use secure connections that begin with “https://”.
Stick to Official Platforms: Access your bank or crypto accounts only through their official apps or by manually typing the website address into your browser, rather than using QR-code links.
Question Unrealistic Promises: Offers that promise guaranteed profits or free money in exchange for scanning a code are major red flags.
Enable Two-Factor Authentication: Turn on 2FA for all accounts to add an extra layer of protection, even if your login details are compromised.
Act Quickly if You’re Targeted: If you believe you’ve been scammed, immediately contact your bank, payment app, or crypto exchange and report the incident to the appropriate authorities.
