To scan or not to scan: The shady side of QR codes
As some people find new ways to use QR codes to streamline our daily lives, others find new ways to exploit QR codes for their own nefarious gain. From counterfeit URLs to QRLjacking, explore the shady side of QR codes so you can protect yourself in the future.
Are QR codes safe?
QR code technology itself is safe and secure. However, criminals find ways to exploit how individuals and businesses use QR codes.
Microsoft Defender
Stay safer online with one easy-to-use app1
1Microsoft 365 Personal or Family subscription required; app available as separate download
When you scan a QR code with your phone, the QR reader within your phone identifies the code and directs you to the website URL, PDF file, video, etc. It would be like typing a URL into a browser or clicking on a link without all the extra steps. The QR code itself doesn’t collect any personal data or live-track you. The basic technology is very secure, but that doesn’t stop hackers from taking advantage of them in phishing schemes and more.
QR codes weren’t originally intended for such widespread use
Engineer Masahiro Hara originally developed QR codes to speed up production in the auto-manufacturing industry. Before QR codes, the industry used UPC bar codes to organize and communicate data about auto parts, but production slowed because they needed up to 10 bar codes on a single auto part to convey enough information. Additionally, UPC codes could only be scanned from one angle—a problem when auto parts differ so drastically in size and shape. Hara designed QR codes as a “quick response” code to relay more information faster.
He envisioned the whole auto industry using this code beyond just his company, but he never imagined so many individuals and small businesses using his invention throughout the world. Years later, Hara expressed a sense of fright and responsibility for the way hackers use his invention to take advantage of others and suggested QR codes need some sort of revamp to be safer in the modern world.
“QR code technology itself is safe and secure. However, criminals find ways to exploit the way individuals and businesses use QR codes.”
Security risks of QR codes
You can boil QR code security risks down to two basic categories: counterfeit QR codes and QR code hacking.
Counterfeit QR codes
Because QR codes open links right away, hackers find ways to replace good QR codes with counterfeit ones that send people to different websites. This allows hackers to collect personal information. As more people use QR codes to speed up payment, hackers find more ways to send payment to their own accounts.
Hackers can physically replace a QR code in a public space with a different QR code. They can also send out emails with a false message like, “your credit card information is out of date, scan the QR code to continue renew your autopay.”
QR code hijacking
Hackers take advantage of flaws to send users to the wrong location and collect data. When companies and organizations don’t follow QR code best practices, such as generating a new QR code each time someone logs in, malicious people can exploit this vulnerability to send victims to a phishing site instead.
Criminals seek out sites that require a QR code to login to use a popular technique called QRLjacking. QRLjacking is when someone uses a QR code as a one-time password and an attacker clones the QR code and sends that user to a phishing site.
For example, in 2015, Heinz ketchup launched a campaign where users scanned a QR code that sent them to a website allowing them to customize their own ketchup bottles. However, Heinz didn’t renew the domain for that website, and a hacker bought the domain to redirect users to inappropriate websites instead.
How to avoid QR code security risks
You can still use QR codes while keeping your private information secure. When creating a QR code, use a trusted QR code generator. Don’t share your personal information on sites opened with QR code shortcuts unless you fully trust the source. Check for suspicious elements on the QR code itself like misspellings or the wrong logo. Also, don’t download a special QR code scanning app to your phone because your phone already has that technology. Finally, verify the URL. When you scan a QR code the link will populate to the site you’re about to visit. Before clicking on it, verify it looks legitimate and safe.
As always, get a trusted antivirus software and family safety apps to detect malware for a frontline defense against phishing schemes and viruses. With a little more information in your back pocket about how QR codes work, you can now enjoy their convenience and reduce potential security risks.
Get started with Microsoft 365
It’s the Office you know, plus the tools to help you work better together, so you can get more done—anytime, anywhere.
Identify and stop a CEO fraud attack with these tips. Learn how this scam, sometimes known as whale fishing, is aimed at company executives and how to master CEO fraud detection.
Recognize questionable behavior on social media such as off-putting and automated messages. Learn why this behavior may be a sign of social media bots and other indicators.