The Cybersecurity Council of the UAE has issued a warning regarding a rise in a type of scam in which fraudsters and cybercriminals exploit QR codes (Quick Response Codes) in public places to steal personal and financial information. These codes are being used to direct unsuspecting users to suspicious websites, often under the guise of legitimate services.

The Council urged the public to be cautious of QR code stickers found in public areas and advised users not to scan them without first verifying their authenticity. Warning signs may include multiple layers of stickers in the same location or being redirected to a suspicious website that requests personal data or contains spelling errors.

The Council noted that cybercriminals are placing fake QR code stickers on signposts or informational boards in public spaces, intending to lure victims and steal their personal and banking information by redirecting them to malicious sites capable of compromising their devices and accounts.

QR codes in public spaces are commonly used for marketing and digital service access, enhancing user experience and enabling instant interaction. However, this convenience comes with significant cybersecurity risks for inattentive users, as these codes may redirect them to phishing websites designed for identity theft or malware distribution.

Dr Mohamed Al Kuwaiti, Head of the UAE Cybersecurity Council, emphasised that scammers may use QR codes to install ‘redirect links’ that lead users to fraudulent websites designed to steal information or execute online scams. He pointed out that while technological advancement brings numerous benefits, it also introduces several risks.

Dr Al Kuwaiti explained that scammers exploit public QR codes by replacing original codes with counterfeit ones. When scanned, these codes may lead to websites that request sensitive financial and personal data or download malicious software, including ransomware or password-stealing tools. In many cases, users are redirected to fake websites that mimic banks or official institutions to harvest banking details.

How to detect QR Code fraud

When it comes to identifying fake QR codes, Dr. Al Kuwaiti advised to:

• Ensure the code is placed in a trusted location.
• Always verify the link before opening it, particularly if it does not begin with “https.”
• Use reputable link-checking apps.
• Enable protective features on your phone.
• Avoid scanning codes from unknown sources.

In the event of falling victim to such a scam, he recommended the following actions:

• Immediately contact your bank to freeze any registered cards.
• Scan your device using reliable antivirus software.
• Change all passwords.
• Report the incident to relevant authorities.

Dr Al Kuwaiti also stressed the importance of public awareness as a key factor in minimising harm and ensuring safe use of QR code technology.

He explained that the Council is working to secure the UAE’s cyberspace and create a safe digital environment. This is being done in collaboration with key partners to protect national cybersecurity, government entities, digital assets, and critical infrastructure. The Council also ensures a secure digital ecosystem for citizens, residents, companies, and institutions by developing and updating necessary legislation and proactively monitoring emerging cyber threats.

Enhancing protection methods

To combat evolving cyber threats, the Council is cooperating with all digital service providers to:

• Secure QR code usage.
• Enforce strict security standards.
• Conduct awareness campaigns that educate the public on cyber threats and safe practices.

Furthermore, the Council continuously monitors cyber activity and proactively responds to threats in collaboration with various partners. Ongoing initiatives include strengthening digital infrastructure, training cybersecurity professionals, and encouraging international cooperation to share intelligence on cross-border threats, thereby fostering a safer and more trustworthy digital environment.

Public Transport Scenario: A commuter waiting at a bus station sees a QR code labelled “Scan to check the route.” Assuming it relates to the bus schedule, they scan it only to be redirected to a suspicious site requesting personal and bank account details under the pretense of logging in. Realising the potential scam, the user exits the site immediately. Notably, Dubai’s Roads and Transport Authority has repeatedly warned residents about this type of QR Code scams.

Public Park Scenario: While visiting a public park with family, a person notices QR code stickers and assumes they offer park-related information. Upon scanning, they are redirected to a fake website asking for a photo of their bank card in exchange for purchasing certain items, along with other personal data.