QR codes (quick-response codes) were originally designed to label automobile parts, but today, we can find them in advertisements, restaurants, museums, mobile ticketing, and many other areas. Since both Androids and iPhones can scan QR codes in the camera app, QR codes provide faster access to a website than manually entering a URL. While convenient, the technology lacks security.
Just like how links in an email can be malicious, QR codes can be malicious. QR codes were designed to be scanned, not read, so you will not know its content until you scan it. This makes the technology vulnerable to malicious redirects.
What to watch out for
QR codes phishing
As seen in some scam of the month articles, QR codes can be embedded in an email as part of a larger social engineering attack. Normally, URL scanning tools – like Safe Links – help protect the WashU community from visiting malicious links; however, QR codes are scanned with smartphone camera apps that are not monitored by Safe Links. Phishing attackers take advantage of this fact and use malicious QR codes to get around standard email protections.
QR codes in public places
Criminals can replace legitimate QR codes with their own malicious ones. In 2022, police discovered “a number of stickers with illicit codes appearing on parking meters on parking meters” in several US cities. If you inadvertently enter your credit card into a malicious site, file a police report and contact your credit card company to reverse any payments.
How to protect yourself
Consider not scanning where possible
You should never scan a QR code if you are not sure of the source. If a stranger tells you to scan a QR code – whether in an email, letter, flyer, text, or any message – exercise caution and consider using a different method to reach their information.
Look at its surroundings
Does the context of the QR code appear legitimate? Criminals can exploit our curiosity and place a malicious QR code in busy areas without any information around it. Beware of any QR code in a public place. If it seems out of place, it is likely malicious.
Preview the URL with your smartphone’s default camera app
Whenever you scan a QR code with the camera app on your smartphone, a pop-up will tell you the URL. If the URL looks strange, you might want to stay away. Some bad actors will try to convince victims to use a malicious scanner, so stick with the default camera app.
For more information on phishing attacks, please visit our phishing page.