Data Threat: Don't Automatically Scan the QR Code

You've just been seated at a restaurant and while you're waiting for your server, you see a little sticker on the tabletop that says, "Scan me for today's lunch specials." It would be great to save a few bucks. So you pull out your phone and point the camera at the code.  What could go wrong?  According to mobile security experts, plenty.

Even if you're not familiar with the term QR code, you've certainly seen lots of them. They're the square graphic that businesses put at the bottom of ads, in-store signs, and (especially after COVID) on restaurant tables. Businesses invite you to scan the code with your phone (camera apps now read them automatically) to access additional information or special offers.

Short for "quick response code," QR codes are a type of two-dimensional barcode. Where a traditional barcode, like you'd see on a grocery item, is limited to 43 characters of information, a QR code can store up to 2,500. For comparison, that's one short sentence versus five pages of text.¹

While QR codes can contain any kind of information — they were developed for inventory tracking — businesses use them to direct your phone's web browser to a URL or to the app store to install an app. Both legitimate uses.

The automatic nature of the QR code means you can't tell ahead of time what kind of site it's sending your phone to. While mobile phones (and especially iPhones) are largely immune from typical computer viruses, they are still subject to danger from other kinds of malicious code. For example, according to online security firm Kaspersky, mobile web browsers have multiple vulnerabilities that can be exploited.²

According to Len Noe of information security firm CyberArk, malware isn't necessarily the greatest risk with using QR codes. It's simply that you don't know where the link is taking you. It might lead to a legitimate looking website that fools you into entering sensitive information.  Think of the QR code as a web link. You probably wouldn't click on a link in an email from an unknown sender. In the same way, you don't know who actually placed that QR code you're seeing out in public.

Noe says that it's quite easy for a "threat actor" to place a sticker with a malicious QR code over the top of a legitimate one. His advice for when you see a QR code: Don't automatically scan it. Look for signs of tampering. And never download apps or make payments from a QR code you see in a public place.  QR codes can be legitimately useful when you're sure of their source, such as on a statement from your utility company. But when you can't be sure of the source, be sure to proceed with caution to help protect yourself from identity and financial fraud.

1. http://go.pardot.com/e/91522/-before-you-scan-that-qr-code-/8q2r1l/1751575253?h=rw-VOhZvasIRxxmdMgFnZOH8kPrhpvuPEKPGvA09Ih8
2. http://go.pardot.com/e/91522/websites-infect-iphones-18573-/8q2r1s/1751575253?h=rw-VOhZvasIRxxmdMgFnZOH8kPrhpvuPEKPGvA09Ih8