Business Type :

QR codes are a useful bridge between the real and digital world. When you scan a QR code in real life, you can visit handy websites and perform digital actions in just a few seconds. People today scan QR codes to access digital menus at restaurants or even to pay their downtown parking meter. QR codes are used to link to games, to mobile apps, and payment platforms. But can hackers get through a QR code?

Unfortunately, the answer is yes. Hackers have recently caught up with the QR code craze and have begun placing infected and decoy QR codes in order to infect phones and hack private users directly through their personal devices. Every QR code you scan could be infected.

How do QR codes work, and how can we protect ourselves and others from hacked QR codes? That’s exactly what we’re diving into today.

How QR Codes Work

QR codes are like a barcode, but able to hold complex data in two directions instead of one. QR codes store data including links and software commands in a scatterplot of square dots. The dots are read by your phone camera from top to bottom and right to left. When the QR code is scanned, your phone takes the action indicated by the code.

A safe phone will ask you if you want to follow the link, but some respond immediately to the code embedded in the QR pattern. The good news is that, in most cases, you will be asked to slide-approve a QR scan – so you have a final chance to decide if a code is safe after you scan it.

What QR Codes Can Do: Why Hacked Codes are Dangerous

The real problem with QR code hackers is how versatile and useful a QR code can be. A legitimate or hacked QR code can do more than open a web link. These code squares have the potential to achieve a wide variety of both useful and dangerous actions on your phone.

  • Follow website links
  • Direct-download apps from your app store
  • Call phone numbers
  • Add contacts to your phone
  • Convey up to 4K words
  • Authenticate an online account
  • Verify login details
  • Access a wifi network
  • Send and receive payments
  • Compose emails

Some of those functions are extremely risky when scanning codes from unknown or malicious sources. From direct download to joining a wifi network, there are many routes to infect your phone or hack your device directly.

How Hackers are Corrupting QR Codes

  • QR Code Stickers used to replace legitimate codes
  • False QR code advertisements with infected links

QR codes are found “in the wild” all over our society. Restaurants use them for menus and coupons. You can find QR code links to bus routes in the bus station. Your parking meter might have a QR code for payment, and so too might your farmer’s market vendor. QR codes are often used in advertisements on flyers and newspaper ads.

There was a time when it was safe to curiously scan a QR code stuck to a telephone pole on your morning walk – but no longer.

QR Sticker Hacking & Flyer Spam

Hackers have realized that the freedom of QR codes is a loophole in personal device security. What is the primary source of infected QR codes? Stickers. Hackers translate their infected links and device commands into square-print QR codes . They then print them onto sticker sheets. With a close-cut white background, hackers replace legitimate QR codes with a quick sticker over the original. When you scan for your menu or parking meter, you get an infected link instead.

The smart ones can mask the link to look legitimate so you don’t even realize your phone has been infected.

Hackers also post false advertisement flyers for local businesses, garage sales, and retail discounts to get people to scan. It might even look legitimate before you swipe, bearing the same domain or URL details as printed on the flyer.

How to Stay Safe from Malicious QR Codes

So, how can you stay safe from malicious QR codes while still enjoying the convenience that QR codes can provide? The key is to stay alert and watch for signs that a QR code is not legitimate or has been tampered with.

1.) Look Carefully: Never Scan a Sticker

Before you scan a menu or parking meter, look carefully at the code. Check for a faint outline surrounding the dotted square. If it looks like the QR code has been pasted on as a sticker, do not scan. Never scan a QR code that looks like it could be a sticker and added after the original document or sign was printed.

You can also compare your code with others nearby. Check all the menus at the table or take a look at other nearby parking meters. If the size or design of one or some QR codes is different from most, they may have been tampered with.

2.) Examine the Link Before You Swipe

On most phones, you will get the chance to approve QR action before it is completed. Look carefully at the approval page. Does the domain name of the link match what you expected to see? Does it match the official website domain of the business? Is the action being requested what you expected to find? You can even stop a service person in the store or restaurant to confirm that the link looks correct if you are concerned.

If the action is not what you expected – like requesting email access instead of following a link, cancel the code and do not approve-swipe.

3.) Don’t Scan Random QR Flyers and Stickers

Once, it was cool to scan every QR code you passed on the street. Today, that is riskier. Hackers can easily print a few business or yard sale flyers on friendly pastel paper with an infected QR code attached. They can absolutely print a few “bumper” type stickers to slap on cross-walk poles with a slogan and an infected QR code.

Be cautious about what you scan. It should be safe to scan a flyer you handed from venue staff, but not a flyer posted to a telephone pole.

4.) Let a Venue Know if Their QR Codes Have Been Compromised

If you have reason to believe that a business’ QR codes have been compromised, let them know! You can protect yourself and hundreds – maybe thousands – of others from infection with a simple act of communication. Send an email or walk up and tell them that their signs, menus, or flyers have been compromised by a hacker with false QR codes.

The business will be grateful and you will get a legit code to scan the next time you visit.

5.) Clean Your Phone if You Suspect Infection

Finally, be sure to have your phone cleaned of malware and infections if you suspect you have scanned a questionable QR code. Not all QR code landing pages are professional and sometimes errors happen. But it’s always better to take extra safety steps than to be key-logged the next time you access your bank account. QR codes are convenient, but today, QR code safety is a new type of personal cybersecurity that we all share.

For more leading technology and data security insights for your business, contact us and we’ll be happy to assist.

This article is for general information purposes only. It is not insurance, tax, legal, business, or other advice. For specific insurance questions related to you or your business, please contact our office.