QR codes: what are the security implications?

But as QR codes grow in popularity, so do the security risks. It’s important to understand these risks and what you can do to avoid them, so you’re prepared the next time you encounter one in the wild.

Why QR codes are on the rise

QR codes were first invented in 1994 for tracking automotive parts during manufacturing, and slowly began to spread into parts of everyday life. In China, contactless payments driven by QR codes have been the norm for a long time, with many businesses not even accepting credit cards or cash. However, the QR code initially struggled to gain traction in the Western market.

But when the pandemic hit in 2020, there was a clear benefit to touchless technology. Suddenly it wasn’t just an option, but the preferred choice for consumers. This shift towards a more contactless experience helped accelerate the adoption of QR codes in regions where it had previously been lagging.

QR codes have made everyday life more convenient – from ordering food and drinks at a restaurant, to finding out nutritional information on labels at the grocery store. Heck, they’re even used on the web to set up two-factor authentication (2FA). That’s why, even as pandemic restrictions ease in the West, QR codes have stuck around, and are unlikely to disappear completely.

How criminals use QR codes for scams

The rising popularity of QR codes has made them an increasingly attractive target for criminals. The biggest risk with using these codes is that you can never be sure where they link to until you’ve already scanned it. Scammers are counting on people to blindly use a QR code without thinking of the risks or consequences.

For example, a Coinbase Superbowl ad consisted of just a QR code bouncing around the TV screen with no context or branding. That ad generated enough traffic to crash their website during the one-minute ad spot. This means enough people whipped out their phones and scanned a QR code they knew nothing about to crash Coinbase’s website. Thankfully, Coinbase is a legitimate company, and their QR code linked to their website – but what if it didn’t?

Another way criminals take advantage is by physically sticking a new QR code over the top of an existing one. Paying your bill or parking meter with a QR code sounds convenient, but if it’s in a public space, you should be mindful that a criminal could have tampered with it. A replaced QR code could intercept payments, or even copy your card details so a criminal can use them at a later time. It might even direct you to an entirely new website that automatically downloads malware onto your device.

Most people don’t realize that QR codes can do more than just link to a website. They can:

• Download apps or malware
• Share your physical location
• Trigger a phone call which shares your caller ID information
• Create a preloaded text message, which will share information with an unknown number if you hit send
• Add contacts to your phone made to look like credit card companies, priming you for a social engineering scam

Many of these options have useful applications – but like anything, they can be co-opted by criminals.

How you can protect yourself

Fortunately, there are ways to protect yourself while using QR codes. Below are a few steps you can take to reduce the risk, while still enjoying the conveniences that QR codes offer.

• Only scan QR codes from sources you trust.
• Make sure the website a QR code sends you to is the website you intended to visit before entering any personal information.
• Don’t sacrifice security for convenience. If you’re unsure about the QR code, take the time to search for the right link elsewhere.
• Turn on automatic updates for your phone. Most QR codes are accessed via mobile, so it’s important to keep your phone security up to date.
• If a QR code looks like it’s been tampered with, don’t scan it.
• Use a password manager like 1Password. 1Password only suggests autofilling your login information on the verified website you saved with your item.

QR codes are great for saving time, and are sometimes the best way to share information. But just like the web, you need to use your best judgment to stay safe and protect your personal information. So next time you see a QR code in the wild, make sure you pause and assess potential risks before you scan it.

Stacey Harris

Content Marketing Manager