Stay Safe with QR Codes
QR codes have taken barcode scanning to the next level by concentrating more information in a compact physical space and providing people with an easy way to access information using their cell phones. The current spike in QR code popularity has been accompanied by new scams and hacks designed to exploit their weaknesses. Are QR codes safe in the current climate? Let’s take a look at what QR codes are, some potential dangers, and the steps you can take to protect yourself.
What is a QR code?
What are QR codes? A quick response (QR) code is a square grid containing a pattern of tiny black and white geometric patterns that encode digital information. These 2-dimensional patterns were developed to hold more data and scan more quickly than the familiar zebra stripe bar codes that preceded them. QR codes date back to the 1990s when a Japanese company first used them to label and scan automotive components at high speeds.
Over the years, QR codes grew in popularity as they expanded into retail, packaging, marketing, and advertising. QR codes went mainstream during the pandemic when they were often used to deliver touchless menus to restaurant customers through their cell phone cameras.
Want to learn more about using Dashlane Password Manager at home or at work?
How do QR codes work?
QR codes use an algorithm to convert information into the familiar grid of black and white squares. Larger squares at three corners of the grid known as finder patterns help a scanner orient the code correctly. There are several different sizes of QR codes in use, the largest of which can encode up to 4,296 alphanumeric characters.
What happens when you scan a QR code?
A QR code can be scanned using a traditional laser scanner, and most smartphones can interpret QR codes through their built-in camera app. The latter method takes you directly to a website URL, PDF file, image, or video.
Are QR codes safe to use?
The technology behind the codes themselves is safe. When used responsibly, they won’t take over your camera app or steal your private data. However, the outsized public trust in QR codes is being exploited by hackers and scammers who use QR codes to commit cybercrimes.
Can QR codes be dangerous?
QR codes can be dangerous when they are used by cybercriminals who prey on our trust in them for malicious purposes. During the 2022 Super Bowl, Coinbase, a cryptocurrency exchange, aired a TV ad featuring a QR code bouncing across the screen while asking viewers to scan the code and download the app. When over 20 million viewers did so, the Coinbase website crashed, and security experts began to question the wisdom of blindly scanning any QR codes that appeared.
7 potential dangers of scanning QR codes
Scanning QR codes brings digital and physical worlds together in many useful ways, but are QR codes secure? This unique interface presents opportunities for exploitation and fraud that include:
- Social engineering and phishing: The social engineering tactic known as phishing typically uses emails appearing to be from reputable sources to trick recipients into providing personal information or clicking on malicious links. A similar tactic called QRishing uses enticing offers to trick customers into scanning a QR code posted in a public place. A website linked to the QR code continues the ruse by asking the visitor for personal or financial information.
Phishing and QRishing tactics are used in tandem when a phishing email includes a malicious QR code image. Unlike malware hyperlinks, these images are less likely to be detected by email security software or firewalls.
- Malicious links: The impressive appearance of a QR code might make it look hack-proof, but cybercriminals can create their own QR codes using readily available tools. One common scam involves creating a sticker with a malicious QR code to cover a legitimate code posted in a public setting. Whenever someone scans this seemingly harmless code, they are directed to an unsafe website created by the hacker.
- Malware: Scanning a malicious QR code can also take you directly to a file infected with malicious software (malware). This type of attack is especially dangerous since the initial scan alone can infect your device. While some malware is intended to annoy or inconvenience us, malicious strains like spyware and ransomware can be used to steal personal information or hold a device and its contents hostage until a payment is completed.
- Bugs: Not every QR code security risk is related to social engineering or malicious links. Like any software-based tool, QR codes are subject to bugs and vulnerabilities that can be exploited. This led the creator of QR codes, Masahiro Hara, to acknowledge the system was in need of a security update in 2019 after the protocols he first established for inventory control became more widely used for touchless financial transactions.
- Clickjacking: The tactic known as clickjacking uses website elements that are disguised or overlayed onto other elements to trick online patrons into sharing credentials, purchasing products, or downloading malware. Clickjacking scams work well with QR codes as an entry point since the website visitor usually doesn’t suspect that the website or vendor might be unreliable.
- Financial theft: QR codes can support financial transactions, including fund transfers, debit card payments, and digital wallet transactions, and this has become a focus area for QR code safety. An unsafe or malicious QR code can manipulate financial transactions to have money sent to the wrong account or overcharge for services rendered.
- Location compromise: QR codes in restaurants or TV ads are usually not recording or revealing your GPS location, but there are some circumstances where your location can be compromised. For example, some QR codes request access to your GPS position to provide you with directions, and malicious codes created by scammers might mislead you into sharing your location. This information can be used to invade your privacy by monitoring your position and activities without your knowledge or consent.
QR code scanning best practices for your safety
To prevent scams and security issues, it’s important to understand what QR codes are and how they work. When you take the time to verify the validity of each interaction, you build more confidence in your QR scanning experience.
- Verify that the URL matches the vendor: Each time you point your phone app at a QR code, the URL of the linked website appears on the screen before the connection is completed. To be extra safe, take note of the domain name on the screen and compare it to the vendor’s name. If you notice any discrepancies like changes in spelling, additional characters, or missing characters, it could be a link to a spoofed website that you need to avoid.
- Make sure the URL is secure (HTTPS): Hypertext transfer protocol secure (HTTPS) at the beginning of a website means an SSL certificate is in place to protect data exchanges through encryption. Although the HTTPS designation doesn’t rule out the presence of scams or malicious hyperlinks on a website, it can be an effective way to weed out unsecure or suspicious sites.
- Don’t use third-party apps to scan: Third-party apps for QR code scanning offer additional features and customization options, but they can also introduce security risks. Low-quality apps might include software bugs, harbor malware and adware, or request unnecessary permissions. Almost all smartphones now include QR code scanning with their built-in camera, so there is no longer a reason to use third-party apps.
- Check the QR code features: If the printed QR code image lacks a clear border, is blurry or pixelated, or appears to be larger or smaller than usual, proceed with caution to maintain your QR code safety. Many vendors include their logo and company colors in and around the code design, so keep an eye out for any artistic touches that don’t look quite right.
- Install antivirus software: Many malicious QR codes are intended to spread malware, so you need to make sure your protection is up to date. The best antivirus and anti-malware software packages are continually updated to detect and address the latest threats. Some will even block your device from downloading malware.
- Keep device security patches updated: When apps, software, and operating systems are periodically updated, security patches are included to address vulnerabilities and protect you from external threats. You should always keep your device OS and apps up to date to ensure any security issues and vulnerabilities associated with QR code scanning have been fixed.
- Don’t scan unfamiliar or suspicious QR codes: The high-tech appearance of QR codes should never be a reason for blind trust. To avoid security and privacy issues, the best policy is to avoid any QR codes that are unfamiliar or appear suspicious. Trust your instincts and err on the side of caution to avoid potential dangers.
Why are QR code security best practices important?
QR codes will be with us for a long time. That means the scams and hacks we have witnessed so far are likely to continue and expand. Following basic QR code security best practices will give you:
- Protection from security threats: Most external security threats, including phishing, data intercepts (man-in-the-middle attacks), malware, and spoofing are carried out to steal information or hijack computer systems for financial gain. A scammer might use their QR code scheme to steal credentials and other personal information that can be resold on the dark web.
- Protection from identity theft: Personal information stolen through a QR code scam might also be used to commit identity theft. The wide variety of identity-related crimes includes opening financial accounts in someone else’s name, receiving medical treatment or medication under false pretenses, and impersonating another to avoid criminal prosecution or fines.
- Protecting device integrity: Device integrity refers to the function and maintenance of devices like cell phones, as well as keeping unauthorized modifications and apps off them. A secure device is protected by authentication features and privacy settings to protect personal data even when the device is lost or stolen.
How Dashlane supports safe QR code scanning
As we adopt convenient high-tech tools and practices like QR code scanning, digital wallets, and facial recognition for passwordless login, security and privacy should never be taken for granted. For example, our customizable Autofill will never automatically log in to an unverified link or URL. Along with advanced algorithms and encryption to automatically generate, and store passwords safely, Dashlane provides tools and features, including 2-factor authentication (2FA), Dark Web Monitoring, and a virtual private network (VPN) to build more safety and security into every digital transaction.
With the recent increase in threats such as phishing and ransomware, many businesses have ramped up their cybersecurity efforts, but security and privacy concerns don’t end at 5 PM. Find out how Dashlane safeguards your security and privacy when you're off the clock.
- Denso Wave, “QR Code Development Story,” 2023.
- Britannica, “QR Code,” June 2023.
- CNN Business, “Coinbase’s strange QR-code Super Bowl ad briefly crashes app,” February 2022.
- Dashlane, “How to Spot a Phishing Scam,” November 2019.
- BeCyberAware, “QRishing Awareness Training,” 2023.
- The Street, “Hackers Use QR Codes to Steal Your Money,” May 2022.
- Dashlane, “How to Prevent Ransomware Attacks on Your Devices,” March 2023.
- Sophos, “QR codes need security revamp, says creator,” September 2019.
- Imperva, “Clickjacking,” 2023.
- Dashlane, “Are Digital Wallets Safe?” June 2023.
- Dashlane, “How to Tell if a Site Is Really Safe to Use 8 Keys Signs,” June 2023.
- Dashlane, “How To Make Sure Your Chrome Extensions Are Safe,” March 2023.
- Security.org, “Do You Still Need Antivirus?” May 2023.
- Bitedefender, “QR Code Bug In iOS 11 Tricks Camera App to Open Unpredictable Websites,” March 2018.
- Dashlane, “A Guide To External Security Threats in 2023,” May 2023.
- Dashlane, “The Dark Web Iceberg Explained In Simple Terms,” June 2023.
- Dashlane, "How to Protect Yourself From Identity Theft," August 2023.
- Dashlane, “Why Every Employee Device Should Be Secured,” May 2021.
- Dashlane, “5 Ways Dashlane Just Improved Its Autofill,” February 2023.
- Dashlane, “2-factor authentication (2FA) in Dashlane,” 2023.
- Dashlane, “Security and Privacy When You're Off the Clock,” 2023.
Sign up to receive news and updates about Dashlane
Thanks! You're subscribed. Be on the lookout for updates straight to your inbox.