Cyber Safe Center

Subscribe

Hidden dangers of QR codes

·

by

Cassie Crossley

When restaurants reopened after the COVID quarantines, many places transitioned to QR codes in order to reduce the transmission of germs and staff needed to clean the menus. At a restaurant we just went to, the laminated QR code (picture below) was not in good condition. I miss having a real menu but more importantly I am cautious because of the risk from QR codes.

QR code using a “shortened” URL (qrco.de) which prevents me from seeing the true URL to the restaurant menu.

Criminals have figured out that most people trust QR codes without a second thought. They can replace a real QR code with a fake one, leading you to a malicious site that steals your personal information, tricks you into entering passwords, or installs malware on your device. Since you can’t “see” what’s behind the code until you scan it, it’s like clicking on a mystery link.

The risk is higher in public places. Imagine a scammer sticking a fake QR code over a real one at a bus stop or parking meter—you think you’re paying for a ticket, but instead you’re handing your credit card details to a criminal.

An image provided by the Denver Department of Transportation and Infrastructure shows a QR code sticker placed on a parking meter on Broadway that directs users to a scam website. The city only uses the Pay By Phone app to collect parking fees. (Courtesy of Denver Department of Transportation and Infrastructure)

The best way to protect yourself is simple: only scan QR codes from sources you trust, double-check the website address before clicking (if you can), and avoid entering sensitive information after scanning.

Before Scanning

  1. Check the Source: Only scan QR codes from trusted sources, such as official websites or known businesses. Be wary of codes from unfamiliar flyers, unsolicited emails, or those found in unexpected public locations. 
  2. Inspect for Tampering: Physically examine the QR code for any signs of alteration, such as a sticker placed over an original code. 

After Scanning

  1. Verify the URL: Before tapping the link or proceeding, check the destination URL. Ensure it’s the correct, expected URL, starts with https://, and doesn’t contain misspellings or unusual characters. Don’t trust a shortened URL (like the one used by the restaurant I went to) unless you are certain the QR code is legitimate.
  2. Watch Out for Deceptive Practices: Be suspicious of sites that ask for personal information, have poor grammar or design, or present tactics like time limits or scare tactics. 
  3. Do Not Download Apps: Never download an app prompted by a QR code, unless you are extremely confident that the application is legitimate. Only install apps from the official Apple or Google stores.

QR codes are handy—but don’t let convenience become a trap.