QR Codes: How Safe are They?

Quick Response Codes (QR codes) are increasingly popular, especially since most people no longer need a third-party app to scan them. During the Super Bowl last year, cryptocurrency company Coinbase spent millions of dollars on an ad that simply featured a QR code displayed on the screen. That ad became one of the most talked about ads from last year’s event. With QR codes popping up more often in more places, it’s worth taking a closer look at the security issues behind these popular codes.

First, we must understand how QR codes work. The simplicity of using these codes drives their popularity. You open up your phone camera, hover over the code, and then watch as an embedded message appears. Most QR codes contain links, but they can contain any 4,000 characters of text, including other forms of contact information like phone numbers. In many cases, the user doesn’t know what they will reveal when hovering over a QR code, which makes it an enticing medium for potential cybercriminals.

Below, you will find examples of ways cybercriminals can take advantage of QR codes to trick unsuspecting victims.

  • Placing malicious QR codes on top of pay-to-ride scooters such as Lime, Uber, etc.
  • Taking advantage of expiring domain name registrations. This happened to Heinz during a promotional campaign when a QR code printed on a bottle of ketchup directed unsuspecting victims to a pornographic website instead of the Heinz site as originally intended.
  • Hacking of toll booth QR codes that trick drivers into visiting malicious websites built by criminals to steal payment information.
  • Phishing emails containing QR codes that request recipients follow the code to a malicious website.

While we continue to become more resilient to the tactics used to lure us into handing over valuable information, cybercriminals remain keenly aware of new opportunities to set traps that could potentially fool even the most suspicious digital citizen. So, how do you know if a QR code link is suspicious before it’s too late and you have already clicked it? Here are a few tips:

  • Take a close look at the area surrounding any QR code to see if anything seems suspicious.
  • Preview and examine the URL by hovering over the QR code before following any links.
  • Sometimes bills will have a QR code as an option for paying. Thoroughly check any payment process that asks you to click on a QR code to pay. Find alternative ways to verify authenticity before transferring any money.
  • Beware of flyers that contain QR codes in public places.
  • Exercise extreme caution with any QR codes you find on social media.

QR codes offer an easy and fast way to access additional information and resources. However, it is best to exercise the same caution with these codes as you would with any unsolicited or suspicious link. Please be just as skeptical of QR codes as you would a link in an email. Always find an alternative method of verifying authenticity when any sensitive data or payment is requested. Thank you for all that you do to help us keep our institution secure.

Further Reading