QR Code Security Alert: One Scan Can Add Hackers to the Menu

QR codes have been around since the mid-1990s, but their use has risen steadily since 2020. The ability to view everything from restaurant menus to Google reviews to conference agendas with one click has proven too convenient to ignore. However, QR codes have always been a lure method for cybercriminals, and their increased application in a variety of settings has garnered even more attention from hackers. As a result, QR code safety needs to be part of every small and midsized business’s (SMB’s) overall cyber security protection protocols.

Q: What are the primary security vulnerabilities associated with QR codes?

A: QR codes can disguise malicious content since users can’t visually inspect the link embedded in them. That allows attackers to embed malicious URLs that lead to phishing websites, trigger automatic downloads of malware or initiate unintended actions like sending texts or making payments. Social engineering tactics, such as placing fake QR code stickers over legitimate ones in public places, can further increase the risk.

Are QR Codes Safe?

QR codes do not contain security flaws. Technically, a QR code can’t be hacked. However, the final online destinations are contained within the codes. Like any other links, they can direct you to websites containing various types of malware, making you more vulnerable to a cyberattack. It doesn’t matter if the code is on a menu, a manual, an email or a text. You cannot tell that a QR code is part of a hacking scheme just by looking at it. All the trouble happens after you’ve scanned the code and connected to its link. Once connected to the hacker’s website, it might automatically download code for malicious programs onto a user’s device. In some cases, the destination site might prompt you to log in, share personal information, user names, passwords or financial data. As always, the best practice for all unknown URLs is to “think before you click.”

Q: What best practices should users follow before scanning a QR code?

A: Before scanning any QR code, you should inspect the source and context. Only scan codes from trusted sources and be wary of QR codes in unusual or suspicious locations (e.g., pasted over signs, in unsolicited messages or on public posters). Avoid scanning codes that prompt for sensitive information, unless you're sure of the site's authenticity.

How Concerned Should You Be About QR Code Privacy?

Once users have unknowingly scanned a fake QR code, they’re likely to face a malware attack. If the fraudulent QR code hack is successful, cybercriminals can have their way with your devices. They can:

• Add Questionable Contacts to Your Contact List – Many users have hundreds, if not thousands, of contacts in their contact lists. Finding a nefarious one that has been added without permission is a daunting, if not impossible, task
• Send Fake Text Messages – If you hear from friends or associates claiming they’ve gotten strange texts or emails from someone claiming to be you, your QR code privacy may have been violated
• Hack Cell Phone Billing – If your wireless bill is suddenly higher than usual, a QR code you scanned might be charging your account for erroneous, high-cost cell phone calls to anywhere in the world
• Transfer Unauthorized Payments – One of the worst-case results of any cyberattack is stolen money. If you scan a QR code that connects you to a scam website or network, any requests for personal or financial data can have devastating consequences. Many small and midsized businesses lose hundreds of thousands of dollars as a result of severe attacks

How Do You Ensure QR Code Security?

There are several cyber security steps you can take to help protect against a QR scam:

• Never Trust Emails from Unknown Senders – This policy applies to all online activities on any device. If you think the source might be fraudulent, do some research, such as checking the domain name (web address in the browser window) associated with the sender’s address, before opening it
• On Printed Materials, Beware of QR Stickers – If you are viewing menus, manuals or any printed matter, check to make sure a hacker hasn’t glued a scam QR sticker over the legitimate one
• Do Not Scan QR Codes Embedded in Emails – QR codes embedded in emails are the same as links. Opening QR codes with your QR scanner requires the same amount of caution you would apply to any link embedded in an email. Again, “think before you click”
• Install a Scam Blocker or Filter – Nothing is perfect, but good security software (not the free stuff that comes with your computer) could help screen out many known attacks
• Install a QR Scanner That Displays the URL Before Connecting to the Link – Seeing the URL displayed before you are taken to its destination could save you from being hacked, and it only takes 10 seconds

The time to ask “are QR codes safe?” is before you have a problem. Malware protection is not a simple matter. As your use of online technology encompasses more areas of your personal and business life, cybercriminals continue to find new ways of attacking your private data. Unfortunately, most small to midsized businesses have neither the time nor the budget for a full-time IT department. That’s why it’s essential to employ IT experts to assess your cyber vulnerability and help you design the best layers of protection for your hard-earned data.

Q: Are there any tools or technologies that help detect malicious QR codes?

A: Yes, several mobile security apps and QR scanning tools now include features to detect suspicious or unsafe links. These tools often preview the URL and compare it against databases of known phishing sites or malware hosts. Businesses can also use dynamic QR codes, which allow them to monitor, manage and change the linked content if needed, adding an extra layer of control and security.

How Do You Keep Hackers from Violating Your QR Code Security?

Are QR codes safe? For the most part, yes, but not always. IT security firms specialize in preventing cyber threats and have a wide array of solutions that can help maintain QR code privacy while protecting against cybercrimes. These companies work with small and midsized businesses to establish cyber security best practices that help ensure your confidential data is secure and all your devices have the specific protections they require, especially those used for remote-access work.

Reach out to us if you are in the greater New York City area or contact a local IT professional who can help you with security software upgrades, network monitoring and security awareness training to help your company maintain QR code and business data security.