The Rise and Risk of QR Codes
A Background on QR Codes
Around 2012, the concept of QR codes came about. The ability to simply create and paste a simple image on a piece of marketing, packaging, etc. brought about excitement to marketers. However, they were truly only exciting to marketers, not many people were interested in downloading an app to scan a code on their food product to be brought to a landing page about that product.
Then comes 2022, the age of no contact has brought about a huge rise in the utilization of QR codes. Whether it is to see a menu at your favorite restaurant, contactless payments, or touch-less shopping, chances are you’ve seen a QR code in the last month, if not the last week.
QR Code Publicity
There’s been a surge of viral QR code publicity stunts lately. Famously, Coinbase, a cryptocurrency trading company, sponsored a 30 second ad during the Superbowl which simply contained a floating QR code, and no other context. The result? Coinbase’s promo page received nearly 20 million visits from viewers who had no idea what website they were visiting. Similarly, drones have been used to form LED lit QR codes in the sky for everything from advertising new TV shows, to April fools jokes.
While these examples demonstrate massive viral events, you may have noticed QR codes creeping into your daily life via more innocuous means. How many restaurants lately have ditched physical menus for a QR code (often just taped to a table) linking to a digital copy? How many consumer products include a QR on the outside of the packaging?
With a rise in popularity of the commercial use of QR codes, comes criminals who have increasingly begun exploiting them. The original code can be modified, re-printed, and pasted in-place where an un-suspecting victim snaps it thinking they’re opening the menu at their favorite restaurant. Instead, all sorts of nefarious things can take place before finally redirecting the original code’s actual destination.
One snap, and you might be giving a criminal full access to your information, credentials, and even bank accounts.
In time, exploitation of these codes will become a larger and larger issue, and companies will be forced to design more security guarantees around them.
Navigating QR Codes Safely
For now, the FBI advises the following tips when scanning QR codes:
- Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
- If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
- Do not download an app from a QR code. Use your phone’s app store for a safer download.
- If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company’s phone number through a trusted site rather than a number provided in the email.
- Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
- If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
The only way to truly secure against QR code abuse is to just not use them, if possible.
Many companies use these codes as a convenient link to something readily and publicly accessible on their websites. A quick Google search of the company’s name will typically yield a website with the menu or product manual, without the fear that if you’re scanning a tampered code.