Think before you scan a QR code
With COVID-19 check-ins, we have all become accustomed to the 2D barcodes known as QR code, but you really should think before you scan a QR code, as it may take your device to a website that is not safe. The Quick Response code is easy to access with the camera on the mobile devices that everyone carries, but there is no way to know what the QR code will do, until you activate it.
A QR code can contain a lot of information, with a design that means it can be read from any angle, including reversed (such as the back view when it is in a window). However, all that information can have a website address, but also formatted text and even instructions to perform actions – such as adding a contact or even writing an email.
There are two major risks when it comes to QR codes – the first is that a genuine QR code can be covered up with a new code, and secondly that the QR code could lead to a destination or action that the user did not want.
Taking a user to a malicious website, particularly if it has been spoofed to look like an official website, is nothing new – hackers and devious operators have been using URL shorteners and redirects for many years to hide the full website address of the malicious site. Printing a new QR code and sticking it over an existing code from a trusted location is the next step.
Malicious QR codes can also be placed in locations where curious users will scan them, not knowing that their phone will be taken to a website that they would never normally visit – this is happening particularly with graffiti and flyers for conspiracy groups and political activists.
It has now entered as a cultural norm to scan QR codes, which many people blindly do as they have done with terms and conditions for years, but we all need to be a bit more cautious with our use of QR codes.