QR Codes and Your Security – Are They Safe?

If you've been out to a restaurant recently, then you’ve most likely scanned a QR code to view a digital menu instead of being handed a physical menu. You probably didn’t give a second thought to what actually happens when you scan a QR code. A key point to remember is that, with the increased usage of QR codes, they do have the potential to become a digital security risk.

What is a QR Code?

The term stands for Quick Response code, a machine-readable code consisting of an array of black and white dots in a square-shaped grid that prompts a specific action once scanned by a camera. These days, the majority of QR codes are scanned with a smartphone camera and most smartphone manufacturers are adding QR code scanning feature in the native camera apps. QR codes are versatile, they’re able to store many different types of data. The information stored in a QR code is usually a URL, but lots of things can be stored in a QR code, from contact and calendar data to email addresses, phone numbers, plain text and geolocation.

QR Code Security

A recent study found 71% of respondents cannot distinguish between a legitimate and malicious QR code, 51% of respondents have privacy, security, financial or other concerns about using QR codes, but still use them anyway, and lastly, 34% have no concerns about using QR codes.

Cybercriminals are capitalizing on security gaps by targeting mobile devices with sophisticated attacks. Mobile devices are particularly attractive targets for the ease of embedding a malicious URL that contains custom malware into a QR code, which then could access data on a mobile device when scanned.
QR codes are growing in popularity and convenience, especially as more restaurants and retailers embrace them for a contactless alternative. Here are some risks associated with QR codes, as well as some solutions to use them safely.

QR Code Security Risks

  1. Malicious codes – You scan what looks like a safe QR code, and it leads you to an infected website which could trigger a malicious download. Depending on your operating system and QR code reader app itself, you may not have an opportunity to inspect the proposed action, may not even realize the potential vulnerability and click without considering the risks.

  2. Phishing – A hacker can use a QR code to lead you to a phishing site to steal your credentials or to gain access to your private information from your phone. Phishing websites can be very hard to detect. They can use a similar looking Universal Resource Locator (URL) to a trusted website, or can simply change the domain extension from ending in .com to something different like .net.

  3. Fake QR Code – Cybercriminals can place a fake QR code over a legitimate one. Do not scan a QR code that has been printed on a label and applied on top of another QR code. Before scanning, check with the business to verify that the labeled QR code is legitimate. They may have simply updated their original code but you want to be sure before scanning.

How to Safely Use QR Codes

  1. If someone you know sends you a QR code, confirm with them before scanning it. Whether you receive a text message from a friend or a message on social media from a coworker, call that person directly before you scan the QR code to make sure they haven’t been hacked. If the source of the QR code seems unknown or unfamiliar, don’t scan it.

  2. If after scanning a QR code password or login information is requested, be very suspicious. Do not provide passwords or login information. This can be a phishing exploitation, trying to trick you to divulging personal information. 

  3. Install a QR scanner with added security. Some antivirus companies have QR scanner apps that check the safety of a scanned link before you open it. They can identify phishing scams, forced app downloads and other dangerous links.

The use of QR codes has resurged and so has the rise of hackers taking advantage of it. QR code exploitation can lead to credential theft, device compromise and data theft. Many of us are curious individuals and may be tempted to scan a QR code just to see what it is, without realizing the potential risks associated with doing so. It’s the reason phishing attacks are among the more significant risks with QR codes, so it’s important to be vigilant in making sure they are legitimate. Online scammers are finding new ways to get your personal information. Protect yourself and avoid being scammed by following these QR code tips.

If you see something that doesn’t seem right, trust your instincts. Keep your eyes open to scam techniques and share these tips with others. Help yourself, your loved ones and your community by reporting fraud to the Federal Trade Commission (FTC) at reportfraud.ftc.gov. For more details on scams and to stay updated with current information, visit sdccu.com/scams.

Visit our Financial Knowledge Blog to learn more tips on setting up a solid future or join us Financial Wellness Wednesdays.