LOGIN 
Beware of QR-Code Scams
By Chapin Mower on March 31, 2022
Of all the Super Bowl commercials that aired this past February, there was one that captured my attention from the start. If you recall, the only way to know which company was behind the commercial, involved pulling out a phone and using the phone’s camera to scan the QR-code that was bouncing around the screen for 30 seconds. QR-codes are, in essence, a direct link to a website or an application for your phone. And until I read this article from the Wall Street Journal last week, I never hesitated to scan any and all QR-code’s – mostly based out of pure curiosity. But now? Let’s just say I prefer using traditional menus to pulling out my phone to scan a code.
By now, most of you are probably aware of the term “Phishing.” For those that don’t know, phishing is a type of social engineering attack that is used by hackers to steal user data, including login credentials and credit card numbers. Historically, the most common form of phishing has been via email. A hacker will send you an email posing as someone else (maybe a friend, family member or a business inquiry) with the goal of tricking you into clicking the link provided in the email. Now, QR-codes can be, and are being used as a tool by hackers to trick people into scanning their code and visiting a corrupted link.
“When they’re malicious, QR-code scams are essentially a new form of phishing attack, where scammers direct victims to a bogus website, and proceed to ask for personal information. Most smart phones ‘just read the code and open the link without ensuring that it is safe or that it is, in fact, what it says it is,’ says Justin Fier, director of cybersecurity and analytics at cybersecurity firm Darktrace.”[1]
For example, back in December, hackers placed QR-code stickers on parking meters in major Texas cities, directing drivers to a fraudulent website where they supposedly could pay for parking. From this, many people were tricked into entering in their credit-card information and unknowingly becoming victims of fraudulent charges and stolen information. In addition to stealing credit card information, hackers may also install malware to gain access to victims’ devices in perpetuity.
Now, the good news is that these kinds of attacks are more advanced, harder to pull off, and create a lot more work for hackers rather than your standard email/text phishing attack. And there are ways to protect yourself from a QR-code scam. For starters, when in doubt, go old school. Meaning, enter in the website address manually if/when a QR-code seems fishy or untrustworthy. Legitimate QR-codes are not stickers that someone just added onto to something (like a parking meter). If you happen to scan a QR-code, check the domain that pops up on most smartphone before proceeding. In the example of the parking meter in Texas – the domain should have been a municipal website and anything other than that should have raised a red flag.
Lastly, if you do fall for a phishing or QR-code trap, do not panic nor beat yourself up. First, take a deep breath. Use this as a good opportunity to update your password, notify your bank and our team, and monitor your credit card charges. Remember, we’re only one phone call or one email away from assuring you that the assets you trust us with are safe. That’s HMA!
[1] https://www.wsj.com/articles/beware-of-qr-code-scams-11647625020
Hummer Mower Associates is a group comprised of investment professionals registered with Hightower Advisors, LLC, an SEC registered investment adviser. Some investment professionals may also be registered with Hightower Securities, LLC (member FINRA and SIPC). Advisory services are offered through Hightower Advisors, LLC. Securities are offered through Hightower Securities, LLC.
This is not an offer to buy or sell securities, nor should anything contained herein be construed as a recommendation or advice of any kind. Consult with an appropriately credentialed professional before making any financial, investment, tax or legal decision. No investment process is free of risk, and there is no guarantee that any investment process or investment opportunities will be profitable or suitable for all investors. Past performance is neither indicative nor a guarantee of future results. You cannot invest directly in an index.
These materials were created for informational purposes only; the opinions and positions stated are those of the author(s) and are not necessarily the official opinion or position of Hightower Advisors, LLC or its affiliates (“Hightower”). Any examples used are for illustrative purposes only and based on generic assumptions. All data or other information referenced is from sources believed to be reliable but not independently verified. Information provided is as of the date referenced and is subject to change without notice. Hightower assumes no liability for any action made or taken in reliance on or relating in any way to this information. Hightower makes no representations or warranties, express or implied, as to the accuracy or completeness of the information, for statements or errors or omissions, or results obtained from the use of this information. References to any person, organization, or the inclusion of external hyperlinks does not constitute endorsement (or guarantee of accuracy or safety) by Hightower of any such person, organization or linked website or the information, products or services contained therein.
Click here for definitions of and disclosures specific to commonly used terms.
Form Client Relationship Summary ("Form CRS") is a brief summary of the brokerage and advisor services we offer.
HTA Client Relationship Summary
HTS Client Relationship Summary
Securities offered through Hightower Securities, LLC, Member FINRA/SIPC, Hightower Advisors, LLC is a SEC registered investment adviser. brokercheck.finra.org
© 2025 Hightower Advisors. All Rights Reserved.