QR Codes — Friend or Foe? Just How Bad Are They?

QR Codes Are Everywhere

QR codes are everywhere. You can find them at restaurants, on flyers, posters, product packaging, mobile tickets, emails, billboards, and more. They’re really convenient because they act as a gateway, seamlessly transporting users from a physical touchpoint to a digital destination. No manual effort is required on the user’s part. All you have to do is point your phone’s camera at the QR code, read the destination your phone displays, decide if it’s legit, then click OK.

Where could it take you? The destination the QR points to could be a website, a PDF file, a landing page, questionnaire, survey, video or audio — the possibilities are almost endless.

But wouldn't that be just like manually typing a website address into a browser or clicking a link that leads to a landing page, questionnaire, or video?

Exactly.

But in this case, scanning the QR code does the job of manually typing or clicking on the link.

What Do Cyber Pros Think Of Them?

I’ve attended well over 20 cybersecurity events in the past 3 years: local monthly cyber meetups, community cyber conferences, even invite-only cyber conferences on the main campus of Microsoft.

QR codes were everywhere there, too. How did the cyber pros in attendance react?

Without exception, the audience whipped out their phones with real enthusiasm, and scanned those QR codes displayed on screens at the front of the classroom or the entire conference center. We’re talking about snapping QR codes with enthusiasm, with gusto, with abandon! Those audiences of cyber pros scanned QR codes like there’s no tomorrow.

The first time I saw this happen at a cybersecurity event, it was a bit jarring considering all the warnings I’d read and heard about QR codes from cybersecurity authors.

Why the disconnect between advice to the public and behavior at events?

Turns out that scanning QR Codes is how the audience at these cyber events gets directions to the after-meeting hangout, or how they download the slides from the in-person presentation, or find a trusted reference for some aspect of the meeting’s topic.

Do cyber pros use QR codes anywhere else?

A highly respected cybersecurity pro, Ross Haleliuk, very successfully self-published his own book, Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup. Ross included QR codes for each chapter to allow for easy access to the online version and bonus material.

Cybersecurity pros LOVE QR codes!

But hold on, let’s consider rephrasing that statement a bit.

In trusted environments, cybersecurity pros LOVE QR Codes.

At a cybersecurity event, if an attendee tried hacking the audience, there’d be enormous blowback and reputational damage. Everyone in attendance is on alert, and that creates an environment with far more oversight than other public spaces.

A professionally printed book with tight production control, could potentially be trusted. Ross Haleliuk had complete control over the design and printing of his book, so he knew the QR Codes in the book were legit.

A restaurant, for example, could potentially be a trusted environment because there’s extensive daily oversight. If a hacker pastes a nasty QR code over the restaurant-supplied QR code, it’s likely to be noticed.

What might not be a “trusted environment”?

A public parking lot, for instance, which has unlimited 24/7 access to the public and little on-premise oversight. Los Angeles and Denver have seen criminals putting stickers with malicious QR codes on city parking meters. Scan one, and you'll be taken to a fake payment page that steals your personal and financial info.

A city in England removed a total of 27 fraudulent QR codes from parking meters. Those British Digital Kleptos™ on the other side of the pond have been busy! They placed fraudulent stickers on parking meters, offering what seemed like a quick and easy way to pay. But once scanned, the fake QR Codes directed people to websites that enabled the hackers to steal funds and gather banking details.

A parking ticket placed on your car. Now this is clever (in a weird, troubling way). A fake parking ticket physically placed on your car? Most Digital Kleptos™ hack from a distance. But in this scenario, a real, live human being actually walked up to multiple cars, stuck these fake tickets on windshields, and risked getting caught. Multiple cities in Texas have seen an uptick in QR code hacking — an increasingly sophisticated parking ticket scam that uses QR codes to direct victims to fraudulent payment websites, with cities reporting incidents of fake citations being placed on vehicles.

A random flyer found on campus. Digital Kleptos™ are even using our love of coffee against us. Is nothing sacred? Frank, a busy college student, was walking through campus when he saw a flyer advertising Free Coffee for Students! Just Scan & Show This QR Code. Craving a caffeine fix, he scanned the code, which took him to a website that looked like a coffee shop loyalty program. It asked him to download a small browser plugin to claim the offer. Without realizing it, the website installed malware on his laptop. Over the next few days, the malware captured his online banking login credentials, and unauthorized withdrawals started showing up in his checking account. What seemed like a harmless perk ended up compromising his sensitive financial information and led to a stressful, time-consuming recovery process.

Before you scan a QR code, ask yourself — What can go wrong?

As these examples show, the problems with QR Codes are not only hypothetical — they actually happen in the real world and are reported to police and other law enforcement agencies.

Scanning a compromised QR Code can:

👉 Take you to a fake payment page, where you could be scammed for a parking fee or a parking ticket.

👉 Collect personal information like your username and password, or credit card details, which the hacker could later use to hack your account.

👉 Result in malware getting downloaded and installed on your phone. The result could be spyware that snoops on your browsing and passwords, ransomware that locks up your device until you pay for its release (with no guarantees), or viruses that can delete or damage the things you’ve stored on your device.

👉 Result in additional steps such as adding an unwanted contact to your contacts list or composing an unauthorized text or email on your behalf.

What Can You Do To Protect Yourself From Malicious QR Codes?

No crystal ball here, so we can’t predict how likely you are to encounter one of these QR Code scams out in the wild. But we can be certain that you’re less likely to fall victim to one if you’re aware and take some simple steps to protect yourself.

Consider the source: When you’re out in public, only scan QR codes from trusted and reputable sources. Be especially cautious of codes found in public spaces, unsolicited messages, or unfamiliar websites, as these are common targets for hacking.

Inspect for tampering: Check for signs of physical tampering, such as a QR code pasted over another code, or a code that appears altered. Avoid scanning any code that looks suspicious or out of place.

QR Codes for payment: Don’t download payment apps or make payments directly from QR codes. It’s better to navigate to the website address manually and make your payment more confidently on a trusted, known website.

Use your phone’s built-in QR code reader: It’s best not to download a separate QR Code app. That could be a security risk.

“No!” is a complete sentence: If you receive a QR code via email or text message pretending to be from a delivery company, and you’re sure it’s not legit, feel free to delete and ignore. Just say “No.” That delete key on your phone is a modern, digital superpower!

Let’s Bring It All Home

The problems with QR Codes are real, not just hypothetical. Real people fall victim to QR Code scams with increasing frequency. It’s up to us to become aware of how the World is changing, and what we can do about it.

Knowledge is power.

We’ve got this!

Join us

Weekly resources to help keep you safer online — protecting you from hackers, online scammers, and other Digital Kleptomaniacs™.

No spam. No selling your email. Just factual, actionable information once a week, from people who truly care about online security.  You can unsubscribe any time — but we hope you’ll want to stay with us on this journey.

Cybersecurity is a modern form of wealth, and you deserve to keep what you've earned.

Looking forward to connecting again next week.

— Anthony Collette

Digital Kleptos™