QR codes – Good, Bad and ... Evil?

QR codes are convenient, easy to use, and can store much information in a small space. You can scan them with your phone and access websites, menus, coupons, tickets, and more. But QR codes can also pose security risks for you and your device.

Of course, QR codes are not inherently bad, but they can be abused by hackers and cybercriminals who want to trick you into visiting malicious websites, downloading malware, or revealing your personal information. Because QR codes are not readable by humans, you cannot tell what they contain or where they will take you before you scan them. This makes them an ideal tool for phishing, spoofing, and other types of attacks.

Here are some of the common ways that QR codes can be used to harm you and how to protect yourself from them:

• Malicious URLs: Hackers can embed QR codes with malicious URLs that redirect you to fake or compromised websites. These websites may look legitimate, but they are designed to steal your login credentials, credit card details, or other sensitive data. They may also infect your device with malware that can spy on your activities, steal your files, or lock your device until you pay a ransom.
  
  
• Code replacement: Hackers can also replace legitimate QR codes with their own by simply pasting their QR codes over the original ones. This way, they can trick you into visiting a site they control. For example, they can replace the QR code on a restaurant menu with one that leads to a phishing website that asks for your personal information or payment details.
  
  
• QR codes for Wi-Fi networks: Using QR codes for Wi-Fi networks is an easy way to share the password for the network. Hackers can create QR codes that pretend to offer free or secure Wi-Fi access. They can display these QR codes in public places where people may need Wi-Fi access, such as airports, hotels, cafes, or libraries. When users scan these QR codes, they may connect to a rogue Wi-Fi network controlled by the hackers. The hackers can then monitor the user’s online activity, intercept their data, or launch man-in-the-middle attacks.
  
  
• Fake QR code surveys: Hackers can also create QR codes that pretend to offer rewards or incentives for completing a survey. They can display these QR codes on websites, emails, or social media and entice users to scan them. However, the QR codes may take the user to a phishing website that asks for their personal information, such as their name, email, phone number, or address. 

To avoid falling victim to these QR code scams, you should follow these tips:

• Use a trusted QR code scanner app: Not all QR code scanner apps are safe and reliable. Some may contain malware or spyware that can harm your device or data. You should only download QR code scanner apps from official app stores and check their ratings, reviews, and permissions before installing them.
  
  
• Verify the source of the QR code: Before scanning a QR code, you should ensure that it comes from a trusted source and matches the context of what you are doing. For example, if you are scanning a QR code on a poster or flyer, you should check if the poster or flyer is authentic and relevant to the QR code. If you are scanning a QR code on a website or email, you should check if the website or email is legitimate and secure.
  
  
• Preview the URL before opening it: Some QR code scanner apps allow you to preview the URL that the QR code contains before opening it. This can help you avoid visiting malicious websites or downloading malware. You should always look at the URL carefully and see if it matches the expected destination. If the URL looks suspicious or unfamiliar, do not open it.
  
  
• Shortened URL: Some QR codes use shortened URLs, which are links that hide the original destination and redirect you to another website. You should be careful when scanning QR codes that use shortened URLs because you cannot tell what website you will end up visiting.

QR codes are a useful technology that can make your life easier and more convenient. However, they can also be used by hackers and cybercriminals who want to exploit your trust and curiosity. By following these tips, you can reduce the dangers QR codes pose.

How to protect your company:
Book a free online meeting with a senior penetration tester.