PETALING JAYA: The next time you scan a quick response (QR) code when paying for food or other items, beware that it could have been pasted over the original by a scammer.

An e-security report by CyberSecurity Malaysia, the national cyber security specialist agency under the Communications and Digital Ministry, said last year that 648 malicious codes were reported in the country between January and November 2021.

“This was an increase of 9.3% from 593 cases reported in 2020,” said its spokesman.

Internet security company Kaspersky Southeast Asia general manager Yeo Siang Tiong said overall from June to August this year, his company detected 8,878 phishing emails containing fake QR codes.

“Such activities peaked in June with 5,063 emails. Some cyber criminals send emails allegedly from delivery companies and ask victims to pay Customs duties by scanning a QR code, purportedly to allow delivery of the items.

“Many of them were scam messages in the likeness of emails sent from genuine delivery companies. However, the QR code redirected victims to a fake bank card data entry page.”

He said aside from the financial losses suffered by the victims, cyber criminals also focus on identity theft as well as spread malware to the devices of the victims and their contacts.

He said this could lead to valuable information, such as bank and credit card details, being stolen and misused.

“Cyber criminals bait unsuspecting people to scan QR codes by making them believe they have received an email from the authorities about payments, summonses or compounds.”

Yeo said small businesses are more vulnerable to phishing and fake QR code scams due to their lack of financial resources and manpower to prevent cyber threats.

“Generally, consumers are the target of QR code scams, but employees can also be tricked so that cyber criminals can break into the network of an enterprise.”

To ensure the QR codes presented are not malicious, Yeo and his experts at Kaspersky suggest people install a QR scanner code app that will display the destination of the code.

The company also advised the public not to scan QR codes from obviously suspicious sources, be wary of shortened links of websites and conduct quick physical checks to ensure the original QR code has not been pasted over.

However, Yeo said advancements such as embedding a unique watermark into the QR code have been made to thwart cyber criminals.

“The government is also actively addressing fake QR codes and other scam-related incidents through the National Scam Response Centre (NSRC), a fact-checking website called and Semak Mule under the police Commercial Crime Investigation Department.”

Yeo said as more businesses are focusing on digital payments, public awareness and education about cyber threats and the risks associated with them are crucial to prevent the proliferation of such scams.

A waiter at a cafe here, who asked to be known only as Jacob, said his employer often came across fake QR codes being pasted over the cafe’s original ones.

“We put QR codes on the tables for customers to scan and place orders. Lately, we have been getting complaints that our QR codes are taking customers to websites that are not even closely related to our webpage.

“When we checked the QR codes on our tables, we noticed that fake ones were pasted over our originals.”

Jacob said the issue has been cropping up at the cafe almost every week since July when it implemented the QR code for placing orders.

“It does not help that we don’t know who is placing these fake QR codes at our cafe since it could be our customers doing so during peak hours when we are busy.

“We filed a complaint through the NSRC and it said it will look into the matter. However, as of now, there has not been any feedback, so it is up to us to be very careful.”