QR codes: be careful of links in disguise

QR codes have become an increasingly common sight since the beginning of the pandemic—they are a useful ‘no physical contact’ method of doing almost anything:

  • Buying groceries
  • Checking in at locations
  • Ordering food at a restaurant
  • Making payments and using discount vouchers
  • Downloading apps
  • Providing additional information about an item, a location—potentially in a variety of languages too
  • Replacing hotel in-room magazines
  • Verification of documents such as tickets
  • Tracking products and packages…
  • And so on.

There are increasingly creative ways of using QR codes, and most provide a useful and efficient way of helping us complete our intended tasks.

However, they can also be misused.

In the same way that criminals use disguised links in emails to lead people to malicious sites, to steal their personal information or to cause them to download malware, QR codes can be used to steal your data, redirect your payments, or embed malware onto your devices.

Most QR codes are completely legitimate, and very useful. However, we should be careful about which QR codes we scan and what we do if we do scan one. It’s probably not a good idea to scan a random QR code on a sticker on your local postbox, or to automatically click through to the destination URL—you might not like where you end up.

Tips on protecting yourself from malicious QR codes

Earlier this year, the FBI issued an alert (Internet Crime Complaint Center (IC3) | Cybercriminals Tampering with QR Codes to Steal Victim Funds) with advice on how to protect yourself from malicious QR codes.

  1. Don’t scan random QR codes from unknown sources.
  2. Check the URL displayed before clicking on it. Most phones now have a built-in scanner in their camera app.
  3. Be extra careful about entering any personal or financial information, or any passwords, into a website reached via a QR code.
  4. If the QR code is physical, make sure it’s not been tampered with (for instance, with a sticker placed over the top of the original one).
  5. Use your phone’s app store to locate an app, rather than go via a QR code.
  6. Avoid making payments through a site reached via a QR code – instead, type in a known and trusted URL.
  7. If you get an email stating that a payment failed and that you must complete the payment through a QR code, be suspicious. Contact the company direct, using information on their website rather than any information in the email.

Interested in more information? Sign up for our newsletter. Want help with your company’s cyber security? Contact the Click and Protect team on 0113 733 6230.