QR code security risks: innocent scan or malicious scam?

QR code

QR codes can be easily abused by scammers so how do we use them safely?

QR codes are becoming more and more popular due to their multi-purpose functionality and their ability to read information at rapid speeds. However, cyber criminals have found a way of exploiting QR codes to carry out highly dangerous phishing attacks. 

Let’s explore how QR codes work, the security concerns around them and how to mitigate against the potential risks. 

What are QR codes? 

Quick Response (QR) codes are two dimensional barcodes that provide instant access to online information when scanned. While they may seem like a relatively new technology, QR codes were actually created in 1994 in Japan by Chief Engineer Masahiro Hara of manufacturing company Denso Wave.  

The QR Code System became an instant hit in China in the late twentieth century. However, it’s only within the last year, triggered by the COVID outbreak, that their popularity has exploded in the Western World. In a global effort to stop the spread of the virus, QR codes have been deemed the “most effective system for COVID-19 tracing.”

However, the uses  of this technology extend far beyond tracking social movements. They can be used to pay for goods and services, rent city bikes, direct consumers to a company’s Facebook page, apply to a job advert…the possibilities are endless. 

How do QR codes work? 

QR codes function in much the same way as traditional barcodes by displaying specific information when they are scanned. However, QR codes are most commonly used to direct smartphone and tablet users to a particular URL. 

Visually, the codes are made up of black and white squares designed to encode different characters of text. Their ability to read code in both the transverse and longitudinal directions allows them to encode over one hundred times more data than regular barcodes. The larger the image size, the more characters the code contains. The three larger corner squares help align the code, allowing it to be easily scanned from any orientation. 

What are their advantages? 

The main advantage of QR codes is their ability to read information at incredibly high speeds. For example, imagine walking by a billboard and seeing an eye-catching advert. Instead of wasting time typing the website URL into your smartphone, a quick scan of the QR code loads the desired web page instantly. 

Or, imagine you are at an industry trade show and want to sign up to a company’s newsletter. By scanning the stall’s QR code you are brought straight to the landing page.

An advantage for business owners is that QR codes are easy and free to create with step by step tutorials available on YouTube. Once created online, they can be printed off and placed on everything from restaurant tables and shop windows to business cards and flyers. 

Are there security risks? 

Just like with any technology, QR codes come with potential security risks. By default, they are not automatically encrypted. This allows cyber criminals to easily tamper with them by placing stickers on top of the original. When the sticker is scanned, the user is unknowingly redirected to a malicious phishing site designed to steal their credentials. 

The added danger is that there is no easy way of predetermining where a code leads to/what URL it will open. As a result, the user has to blindly trust that the code leads to a safe domain. With no humanly readable elements, it is extremely difficult to differentiate a legitimate code from a fake. 

Fake QR code


How can you protect yourself against fake QR Codes? 

Be vigilant by inspecting the destination URL. Exercise the same caution you would upon receiving a suspicious looking email or SMS. If in doubt, search the subject line through your browser instead. Trust your instinct – if the landing site looks suspicious, do not enter your personal details or credit card information. 

Fully protected with Corrata 

We decided to show just how easy it is to fall for fake QR codes. In the video below, the user is unknowingly brought to a phishing site which looks extremely convincing. However, upon closer inspection, the URL is different to the official eBay website. 

When Corrata is switched on, the user is now unable to reach the phishing site and is informed that a security threat has been detected. Corrata sends the URL anonymously to our threat engine for examination which tells the phone whether to allow or block, and does this all in milliseconds.

Related Resources

Related Resources

Read the latest news on enterprise mobile security direct from the specialists.

Read the latest news on enterprise mobile security direct from the specialists.