When you travel, scanning a QR code has become a routine gesture… one that delights cybercriminals. According to a recent report from the antivirus company McAfee, 62% of travelers take risks by scanning QR codes in train stations, airports, hotels, or restaurants. But the danger does not come from the code itself. Explanations.
For Nacho González, a QR code expert, tourists are particularly vulnerable. “They scan codes they do not know, in places they are discovering, often in a hurry and with an unstable Internet connection”, he told Travel Leisure on Wednesday, July 1. He adds that “the danger begins when the page asks for permissions, personal data, a payment, a connection or the installation of an application”.
Fake QR codes affixed to real ones
The most common fraud is known as “quishing”, or QR code phishing. The principle is simple. Scammers place a fake QR code over a genuine one, for example on a parking meter, a bike rental stand, a restaurant table or the counter of a hotel. That code redirects travelers to a counterfeit site to harvest their credentials, their banking details, or to install malware on their smartphone. And the trap closes around them.
“The situation becomes risky when three conditions come together: the code is displayed in a public place without surveillance, it has been sent to you by SMS, email, or a flyer without your having requested it, and/or it urges you to make a payment or verification in a hurry”, adds Harry Maugans, cybersecurity expert and CEO of Privacy Bee.
Techniques to avoid falling for it
Experts recommend taking a few seconds before scanning a code. It is advised to check that it is not a sticker placed over an original surface, with possible raised edges, to inspect the print quality and layout, and to seek confirmation from staff if in doubt. It is also best to use directly the camera on your phone to display the site address before opening it.
“Read the web address and verify the absence of spelling mistakes, shortened links masking the final URL, or sites using the HTTP protocol instead of HTTPS, and make sure the full URL matches the real name of the company”, suggests Nacho González. A menu, a hotel registration page or a payment service will never ask for your password or your full card number.
If a traveler suspects they have been trapped, the recommended course of action is to immediately stop browsing, disconnect from public Wi‑Fi, and avoid downloading anything. Experts then advise promptly changing passwords for sensitive accounts, informing their bank if a payment was made, and monitoring transactions for several days.
