Today’s fast-paced digital lifestyle has made the use of QR codes commonplace. From restaurant ordering, event tickets and contactless payments, the little square codes can provide a practical way to quickly access information. Although convenient, they also present significant cyber risks that everyone should be aware of.

What is a QR code?

Quick Response (QR) codes are two-dimensional barcodes that can be scanned using a smartphone or other device’s camera. QR codes can store a range of data, including webpage addresses and contact information. When scanned, the information in the QR code directs the user to information almost instantaneously.

The rising popularity of QR codes

The use of QR codes surged during the COVID-19 pandemic, as businesses sought contactless ways to interact with their customers. Since then, their use in every day scenarios has become routine for most – but has also caught the attention of cybercriminals. As with any technology, the trust people have in QR code usage can be exploited for malicious purposes.

What are the cyber risks?

There are a number of ways that QR codes can be leveraged to manipulate a trusting user.

• Fake QR codes: Cybercriminals will create their own QR codes and place them over legitimate ones to redirect traffic. For example, a fake QR code could be placed over a restaurant’s menu QR code or an advertising poster which will redirect the user to a harmful things instead of the intended target.
• Phishing attacks: As QR codes are used to direct users to information, they can also be used to redirect users to malicious websites designed to steal personal information. Often mimicking legitimate websites, they might prompt users to enter sensitive data such as usernames, passwords, personally identifiable information or financial credentials.
• Distribution of malware: Scanning a QR code can also initiate the download of malware onto your device. This can result in various harmful actions, such as tracking your activities, stealing data, or even take control of your device.
• Location tracking: Some QR codes can contain URLs that track your location when scanned. This is particularly concerning if your location data is being harvested without your consent and used for harmful purposes.
• Financial fraud: Payment QR codes can be tampered with to redirect payments to an illegitimate account. Unsuspecting users may think they are paying their intended vendor, but their money is being siphoned off by cybercriminals.

Protecting yourself from QR code scams

While QR code scams can be sophisticated in nature, the steps to protect yourself are simple:

1. Validate the source. If you can’t be sure of the source, don’t trust the QR code. In particular, be cautious of codes found in public places or received from unknown contacts. If in doubt, manually navigate via the trusted public website, or contact the business/vendor.
2. Check for fake QR codes. If the QR code you’re looking to scan is in a public place, check that the original QR code hasn’t been tampered with, and that another one hasn’t been stuck on top.
3. Consider using a QR scanner with security features. There are some dedicated QR scanner apps available that have inbuilt security features for detecting malicious links or warn you about potential threats, such as the Trend Micro QR Scanner.
4. Actively check the URL. After scanning a QR code to load a webpage, carefully review the URL preview before going to it. Look for any irregularities or suspicious domains that don’t match your expected or trusted source.
5. Always keep your device secure. Ensure your device’s operating system and apps are up to date and have the latest security patches applied. Use antivirus software and a VPN when browsing to increase your protection.

QR codes are a powerful tool for quickly accessing information, but their accessibility can be a double-edged sword. By staying informed and taking precautions, you can enjoy the convenience of QR codes while minimising your exposure to potential threats.

MyEmpire Group helps educate teams and businesses of cyber risks. To learn more about security awareness training as part of your cybersecurity strategy, reach out to our team of specialists.