A QR Code by Any Other Pixel Might Not be as Sweet

Jocasta Norman
SEEK blog
Published in
4 min readJan 19, 2022

TL;DR Think before you scan. QR Codes can lead you to malicious content or even download viruses and ransomware onto your device without you knowing right away.

Photo by Mitya Ivanov on Unsplash

Since the beginning of the pandemic QR Codes have popped up everywhere and in some instances their use has even been mandated. Like many things that can be helpful they can also be harmful. It’s important to understand that not all QR Codes are created with your best interest in mind. The good news is there are 7 tips below that you can follow to help protect yourself from a QR Code gone rogue.

What is a QR Code?

QR is short for Quick Response. QR Codes were invented in Japan in the mid 90s, well before the ubiquity of smart phones, to help track parts in a vehicle parts manufacturing plant. They can store 300 times more data than a barcode. Typically they are a square shaped image comprising different arrangements of black and white pixels, although they can be customised with colours and logos too.

Here’s an example of one, scan it to discover more about Life at SEEK and why it’s won awards for being the Overall Best Place to Work and the Best Place to Work for Technology!

Example of a QR Code

The Increased Use of QR Codes

Over time, especially with the rapid and rampant adoption of smart phones and mobile Internet, QR Codes have been adopted for use in many more ways than their original intent. Embedding themselves as a useful form of technology for many different things, including: directing people to websites, authenticating online accounts, downloading apps, contactless payments, and more.

Roll on the global pandemic in 2020 however and QR Codes really came to the fore. Becoming a key tool used in tracing exposure and helping stop the spread of a virus. Even without concrete numbers and trend lines, it could be safe to assume the familiarity and use of QR Codes has skyrocketed in recent years. In Australia at least, prior to the introduction of check-in apps for contact tracing, it wasn’t all that common to see QR Codes. These days it feels like we’re swimming in a sea of them at the entry to pretty much anywhere and everywhere!

What is the Potential for Harm?

Unfortunately, what tends to happen when emotions are high, trust grows, or new habits set in, cyber criminals come up with a plan to exploit it and cash in. The increased adoption of QR Codes combined with their mandated use in trusted government apps, all amidst the emotional rollercoaster of a pandemic, has sadly led to a perfect opportunity for criminals.

QR Codes, like many things, can be used for good or evil. It’s also important to note that QR Codes can be designed to be dynamic, meaning the data stored in them can be edited later. The code itself simply stores the data as instructed by the person creating it, and this data can be malicious. Meaning that by scanning the code you could find yourself:

  • inadvertently on a malicious website or viewing inappropriate or unexpected content
  • led to a phishing site that may look legitimate but is attempting to trick you into entering sensitive information, such as login credentials
  • unknowingly downloading an application with malware, such as a virus or ransomware, on to your device.

What Can You Do to Protect Yourself?

So, what can you do to reduce your risk when it comes to QR Codes created with ill-intent? As with advice when it comes to clicking on links or downloading attachments in emails or text messages the same goes for QR Codes — exercise caution!

  1. If in doubt think twice about scanning and avoid scanning purely for curiosity’s sake, some criminals rely on this human trait.
  2. If using the smart phone camera, read the notification before confirming the click through. The notification should tell you the URL of the website it’s going to.
  3. If you’re checking in for contact tracing use the scanner in the app instead of your camera. If it’s not the correct code it should come up with an error message.
  4. If you notice it looks like a new QR Code sticker has been placed over another QR Code proceed with caution. It could well be someone trying to trick you.
  5. If the scan takes you to a site to enter sensitive personal information, passwords, or payment details make sure you verify the link is legitimate before entering anything.
  6. Use an antivirus app, especially on Android devices, to help detect any malware if you notice something was downloaded.
  7. Consider a QR Scanner app with built-in security features instead of the camera alone.

Remember
Think before you click, scan, or share anything online. If in doubt trust your instincts and stop interacting. Cyber security is everyone’s responsibility in the workplace and at home. We all need to exercise caution and due diligence when interacting online.

Further Reading
QR Code Security: What are QR codes and are they safe to use?
QR codes, privacy and security

--

--

Jocasta Norman
SEEK blog

Security Analyst at SEEK | Forever curious | Always learning | Idea sharer | Knowledge builder | Fuelled by kindness | Driven by community