QR Code Security: Risks and How to Stay Safe

As QR codes become more prevalent, so do the security risks associated with them. Understanding these risks helps you use QR codes safely and create them responsibly.

QR Code Phishing (Quishing)

Attackers create QR codes that link to phishing websites designed to steal login credentials or personal information. These malicious QR codes can be placed over legitimate ones in public spaces, printed on fake marketing materials, or sent via email.

How Attacks Work

Unlike URLs that you can inspect before clicking, QR codes hide their destination. You cannot tell where a QR code will take you just by looking at it. This makes QR codes an attractive vector for phishing attacks.

Sticker Attacks

Attackers print QR code stickers and place them over legitimate codes on parking meters, restaurant tables, or public notices. The replacement code redirects to a malicious site that mimics the expected destination.

Protecting Yourself

Use a QR scanner that previews the URL before opening it. Most phone cameras now show the URL before navigating. Check the domain carefully before entering any information. Be suspicious of QR codes in unusual locations or that appear to be stickers placed over other codes.

Creating Safe QR Codes

When creating QR codes for your business, use your own domain rather than URL shorteners when possible. Clearly brand your QR codes so users can verify authenticity. Use HTTPS URLs exclusively. Register similar domain names to prevent impersonation.

Best Practices

Never scan QR codes from unknown sources in emails or messages. Be cautious of QR codes that ask for login credentials or payment information. If a QR code redirects through multiple URLs, treat it as suspicious. Report suspicious QR codes in public spaces to the property owner.