They seem to be everywhere lately. Small scannable boxes, called Quick Response (QR) codes, are popping up on signs, restaurant menus, print ads, flyers, product packaging and lots of other marketing pieces you see on a daily basis.
A QR code is a type of barcode that you scan with your phone’s camera, or a downloadable QR code reader. Once scanned, your phone will launch a webpage containing that menu, link to a website, or even a video that contains more information about the product in question. They originated in factories in the 1990’s and made a comeback during the pandemic, as people became aware of keeping their hands clean and touchless technology gained ground.
There is nothing inherently risky about scanning a QR code when you can verify that it comes from a legitimate and safe source. However, making that determination can be tricky. Like any other website link you click on, a QR code can be the first step in a malware or phishing attack. Scammers can embed malicious URLs containing malware into a QR code which could then extract data from a mobile device when scanned. It is also possible to embed a malicious URL into a QR code that directs to a phishing site, where unsuspecting users could disclose personal or financial information.
Because human eyes cannot read QR codes like we can a web link, it is easy for attackers to alter a code to point to an alternative site without being detected. While many people are aware that QR codes can open a URL, they can be less aware of the other actions that QR codes can initiate on a user’s device. This element of surprise can make QR code security threats especially problematic.
A typical attack involves placing malicious QR codes in public, sometimes covering up legitimate QR codes. Unsuspecting users who scan the code are taken to a malicious web page, leading to device compromise or a spoofed login page to steal user credentials.
Tips for using QR codes safely:
- Stick to using QR codes from trusted sources, like your favorite restaurant or your bank. If you ever see a lonely QR code sticker at a bus stop, bathroom stall or unsolicited email DO NOT scan it.
- Even when scanning QR codes from trusted sources, do a quick check for signs of tampering…does it look like someone has stuck something over it? Does it look like a legitimate, original advertisement?
- Beware of “quishing.” In this type of attack, a hacker places a QR code inside an email designed to trick its recipients into opening a malicious link or attachment. Be just as cautious scanning a QR code as you would be with clicking an unknown web link.
- Be careful downloading a QR reader app. They have been known to spread malware. Your phone’s camera works just fine. You may need to turn the QR reader option on in your camera settings for it to work automatically. Your phone’s camera will also display the full website it is linking you to before it takes you to the site.
- Verify the company and URL match.
- When in doubt, don’t scan the code. There should always be another way to get the information you need.