QR Codes Are Dangerous: Here’s How To Use Them Safely
Scanning and using QR Codes can be quite dangerous — unlike a human-readable link, someone who scans and loads a website via QR code typically does not know what the actual would-be destination is until after that site has already starting loading.
Most QR codes are harmless — and quite useful. But, criminals also exploit QR codes in order to get people to visit websites that the people would otherwise not visit.
I also know that modern-day phones display the human-readable link represented by a QR code before actually redirecting to the QR code’s encoded link — but, those human-readable links are often formatted with link shorteners, or truncated due to space constraints, thereby obfuscating their true destinations. Besides, let’s be honest with ourselves, how many people consistently check the links every time they scan a QR code?
So, how can you safely use QR codes? (And, yes. I use QR codes.)
As I wrote in Cybersecurity for Dummies:
Scanning a QR code and allowing your phone to perform the action associated with the result is only safe to do when you know the source of the QR code is reliable.
I have seen people blindly scan and follow the links of QR codes found on slips of paper on restaurant tables, projected on the outside of buildings in New York City, displayed on posters hung up on the fences around construction sites, and even broadcast on television.
These are dangerous actions.
Unless you know the actual destination of a QR code, or know the source of how that code became available to you, beware.
Of course, in many cases you do actually know that a QR code is adequately risk-free.
Consider, for example, that scanning a QR code that appears on my website, on the business card that I just handed to you, or on one of my slides that I am using during a lecture at Columbia University, presents a totally different level of risk than scanning a QR code left on a piece of paper on a restaurant table with a note that says “Scan for Menu.” After all, anyone who enters the restaurant can potentially place a note on a table — not just the restaurant owner. And, if an unscrupulous person did swap the restaurant’s paper with an otherwise identical copy bearing a rogue QR code it is likely that the restaurant staff would not even notice the difference. And, today, it is not hard for a criminal to direct someone to a website that loads malware and then redirects to the actual menu site, making customers totally unaware that anything bad even happened.
So, always think about the totality of the circumstances before scanning and redirecting based on a QR code.
In any event, you really should also always check the link that appears before deciding to click proceed — if the link looks suspicious, beware.
Joseph Steinberg is a cybersecurity expert witness and advisor, and a Lecturer on Cybersecurity at Columbia University in NYC. He has led businesses in the information-security industry for over two decades, and has written books ranging from the best-selling Cybersecurity for Dummies to the official study guide for a CISO certification exam. He is one of only a few dozen people worldwide to hold the suite of advanced information security certifications, CISSP, ISSAP, ISSMP, and CSSLP, indicating that he possesses a rare, robust knowledge of information security that is both broad and deep; his information-security-related inventions are cited in well over 500 US patent filings.
CyberSecurity for Dummies is now available at special discounted pricing on Amazon. Give the gift of cybersecurity to a loved one.