Super Bowl commercials, packed with celebrities and special effects, can be as much of an attraction as the game itself. This year, one ad stood out: For 60 seconds, a solitary QR code bounced across the screen to electronic music, changing colors as it hit the frame, like an old screensaver. Curious viewers across the country pulled out their phones to scan the code. Only in the last seconds did a logo finally flash on screen.
It worked—maybe too well. Within seconds, the mysterious segment sent over 20 million visits to Coinbase, a cryptocurrency exchange, causing its site to crash. Some accused Coinbase of normalizing scammer behavior by luring people to visit a URL. The incident proves, if anything, how easily millions of people can be persuaded to scan a QR code they know nothing about.
QR codes point you to websites and apps, but because our eyes can’t read them, they’ve also become a way to disguise malicious links. As they become more widely used—for everything from tracking packages to viewing menus to paying for something—it’s more essential than ever for internet users to understand when they may or may not be safe.
What is a QR code?
QR, or quick response codes are two-dimensional barcodes that can be easily read by smartphones or other camera-enabled mobile devices. They’re typically a series of black-and-white pixels in a square grid. Instead of typing in a long string of characters to get to a specific web page, you can scan the square with your camera and voilà, you’re taken to a destination on the web.
Scanning a QR code can:
- Open a website
- Download an app
- Join your device to a Wi-Fi network
- Verify information such as login details
- Create a contact
- Send an email or text message
- Dial a phone number
- Direct a payment
Unlike standard single-direction barcodes that can only store a small amount of information, QR codes are read in two directions, top to bottom, right to left, allowing them to store significantly more data, including website URLs, phone numbers, or up to 4,000 characters of text, all in a condensed, machine-readable format.
QR codes’ rise to popularity
The first QR code system was invented in Japan in 1994 by Denso Wave, a Toyota subsidiary. They needed a better way to track vehicles and parts to streamline manufacturing, so they developed a barcode that could encode both Japanese and alphanumeric characters. Denso Wave never exercised patent rights on the technology, making it publicly available. Although mobile phones with QR readers began selling in Japan as early as 2002, it wasn’t until 2018, when Apple made it possible for iPhones cameras to read QR codes, that scanning them became more intuitive and more popular.
Then came the pandemic. As businesses took extra steps for safety and sanitation, touchless tech suddenly became indispensable. It’s now common to see restaurant tables equipped with QR codes you scan to open an online menu, or even pay for your meal. Half of all restaurants in the US have added QR-code menus since the start of the pandemic, and more than half of adults say they want to see more tech in their transactions. Even classically brick-and-mortar businesses, like furniture retailers, shoe stores, and pharmacies, are using QR codes in ads, on packaging, and for transactions.
But ubiquity doesn’t equal security. If QR codes have helped people avoid the coronavirus, they’ve also created a new avenue for online threats, like scammers and malware. The spread of QR codes means you’re being sent to more websites, more often as you go about your life, giving businesses more opportunities to track and analyze your spending patterns, and attackers more chances to harm you and/or your device.
QR code security risks
QR codes are not inherently dangerous. Most of those you come across are nothing more than web links to consumer websites and should be treated with the same level of caution as all the other links you encounter online. The difference is we can’t read QR codes with our own eyes, which allows them to mask malicious links.
Collecting personal information and data for tracking purposes
- Track your online activity using cookies. Cookies are tiny bits of data stored on your device that websites use to track you around the internet. This data can be collected and sent to any number of third-party data brokers without your consent.
- See your metadata. When you scan a QR code, its creator can see when, where, and how often you scanned the code, the operating system (OS) of the device you used, and your IP address.
- Acquire your personal information. A QR code can open an app or a website that requires you to enter your personal information. A QR code may also take you to a site that asks for financial data, such as your credit card number.
As third-party tracking has grown more rampant, internet users have become more privacy conscious, prompting changes in the way cookies can be used. Firefox and Safari have phased out third-party cookies, and Google, a notorious tracker, has pledged to do the same. To make up for it, many companies have turned to first-party data—the data they collect from you themselves.
QR codes, which introduce digital interactions to otherwise offline spaces, have emerged as an effective way to collect that first party data. These codes can track when, where, and how often they’re scanned by a user—even if all you do is read the site it opens. QR codes may also open an app or take you to a website that requires you to input personal data. As a result, they’ve allowed some businesses—like restaurants—to build detailed customer databases with contact information and even order histories. Thanks to the QR code you use to open the menu and order at your favorite sushi spot, it might already know you’re into spicy tuna. They could then share or sell this information with others.
You can’t tell where the QR code will take you by looking at it. It’ll take you wherever its author designed it to take you, regardless of who that author is. As such, QR codes can be the first step in malware attacks or phishing scams.
In January 2022, the FBI warned users to watch out for malicious QR codes directing scans to websites designed to steal data. For instance, an attacker replaces or covers up a digital or physical QR code with their own look-alike code. When you scan it, you’re taken to a site that looks like the one you’re familiar with, where you unwittingly enter login and financial information, and it goes straight to the attacker. This tactic is essentially a type of a phishing attack, a social engineering attack involving a fraudulent message—in this case, a QR code—that appears to be from a trusted source, used to steal your private data.
The FBI also warns malicious QR codes can lead to malware, an exploit, or other undesirable content. Scanning the code could, for example, initiate a malicious software download, known as a drive-by download, lead you to malware posing as an app, and potentially give an attacker access to your device. Remember, a QR code can do more than just open a link; it can add contacts, compose emails, launch payment apps, or follow social media accounts.
How can you tell if a QR code is safe?
Short answer: you can’t. QR codes rely on a certain degree of blind trust. Only recently have minor protections been built into common devices. For example, changes to Android now make it more difficult to force the installation of malicious apps. And when you scan a QR code on both Android and iOS, your camera app automatically overlays a preview of the URL, which you then have to tap to get to the website, giving you an opportunity to back out if the address looks suspicious.
“Regardless, you should always practice caution,” says Sridhar Ramaswamy, co-founder of Neeva, “because there’s just no way to tell what it is.” Your level of trust should depend on both the significance of the information you’re getting or giving, and the context in which you found the code. The ones on restaurant tables, for instance, may generally be pretty safe. But if you’re being asked to give credit card information, you might want to double check that you’re on the right site.
Tips for using QR codes safely
Just because you can’t guarantee a QR code is safe doesn’t mean there’s nothing you can do to protect yourself. Whether you’re scanning one to get service, or tempted by a good deal, here are a few tips to keep in mind for safety:
- Only scan when you really need to. Quell the desire to find out where every QR code leads—because the more you scan, the more chance you’ll have of stumbling on a dangerous code. Be selective. Ask yourself if there’s another way to access the same information. For example, you can almost always get to a restaurant’s menu page through its website.
- Consider the context. Ask yourself: Does a QR code belong here? For example: Imagine you’re going to the ATM at your bank, and you see a QR code next to it. You scan the code, and are taken to a site that looks like your bank’s website. When you try to login, your password manager doesn’t work, and you’re taken to a screen asking for your debit card number to “verify your account.” This series of red flags would be indicative of a social engineering attack—which you can thwart by asking yourself: Would my bank put a QR code next to one of their ATMs? The answer is: probably not.
- Check the destination URL. Scammers can cover legit QR codes with their own fake versions, which can look almost identical. The same goes for emails—a scammer could send you a phishing email with a malicious code. When your camera app overlays a preview of the destination URL, read it, character by character. Malicious domain names often look almost the same as the intended URL, but with typos or misplaced letters (‘rn’ where there should be an ‘m’, for example). If the domain looks wrong or something looks off, avoid the website. Be wary of short links.
- Be careful with personal information. Scammers and attackers are typically after money or valuable data. “You need to be very sure about where you’re entering sensitive information,” says Ramaswamy, especially when entering login, personal, or financial information. If you can, avoid making payments through a QR code link. Enter the trusted URL manually to complete your payment instead.
- Never download an app from a QR code. Malicious apps are one of the main ways mobile devices pick up malware. Find the app on your phone’s app store instead.
- Use a browser with anti-tracking features. Neeva’s extension can help you block trackers on Chrome, Firefox or Edge.
What about QR scanner apps?
Some antivirus companies offer QR-code scanner apps that can verify the safety of a code before you open the link. While these apps can be useful if you trust your provider, they aren’t necessary, and according to the FBI, many have been known to spread malware. Best to avoid them altogether. You can trust your phone camera’s built-in QR code scanner.
Ready for a private search experience that was built for people, not data mining or advertising? Try Neeva, the world’s first private, ad-free search engine. We are committed to showing you the best results for every search. We will never sell or share your data with anyone, especially advertisers. Try Neeva for yourself, at neeva.com.