QR Codes


What are they? How are they used, and how are they exploited in phishing scams?

A QR code, or "quick response" code, is a type of two-dimensional barcode that contains a matrix of small, square dots arranged in a square grid.  These barcodes are designed to be quickly scanned and read by smartphones and other mobile devices equipped with a camera and QR code reader app.  

Unlike familiar one-dimensional barcodes found on product packaging, QR codes can store a much larger amount of information, including website URLs, contact details, event details, and even text or numerical data.   

The square, pixelated design of a QR code allows it to be easily recognized and decoded by the camera on a smartphone.  

When a user scans a QR code with their device, it will instantly pull up the information encoded within, whether that's a link to a website, a calendar event, or some other type of content. QR codes have become increasingly common in recent years, appearing on everything from product labels and business cards to restaurant menus and event posters.

QR codes provide a quick and convenient way for consumers to access digital information or complete transactions simply by scanning a code with their phone.  Their versatility and ease of use have made them a valuable tool for businesses and organizations looking to engage customers, share important details, or streamline processes through mobile technology.

How QR Code Phishing Differs From "Traditional" Phishing

Traditional phishing attacks usually involve a highly targeted email from a bad actor designed to trick the recipient into opening a malicious attachment or clicking on a malicious link.  The goal is to direct the user to an attacker-controlled webpage.

Phishing emails, like those used in business email compromise (BEC) scams, often impersonate a familiar individual or organization in an attempt to gain the target's trust.  These emails may include a Microsoft Word document or link that the victim is likely to open, as they would normally trust the source.

In malicious QR code phishing (quishing), the bad actor embeds a QR code in the phishing email or locates the QR code in a public location and lures the unsuspecting user to scan it.

How QR Codes Are Used in Phishing Attacks

These QR codes may route the user to a fraudulent website that mimics a legitimate service, prompting them to enter login credentials, credit card numbers, or other personal data.  It could also trigger the download of harmful software that infects the user's device.

Phishers often strategically place these deceptive QR codes in public spaces, on product packaging, or even in marketing materials, relying on people's tendency to trust the familiar barcode format.

How to Prevent Getting "Caught" by QR Code Scams

To protect against these scams, individuals must exercise caution, avoid scanning QR codes from unknown sources, and instead type out URLs manually or use trusted apps to access online services.

Here are some more tips to help protect against QR scams:

Investigate Before ScanningBefore scanning any QR code, thoroughly examine all aspects of it, including its physical attributes and URL previews.  If you see any signs of a potential scam, don’t scan it.

Use a Secure QR Code ScannerFor dual security, you can use a third-party QR code scanner that does not collect or share any user data.

Do Not Share Personal InformationIf you have scanned a QR code and are already on a landing page that looks authentic, take a minute to review the page.  If it asks for any personal information, don’t share it immediately.   Browse through the web page and do your due diligence to check for signs of a potential scam.

Educate YourselfIf you periodically review the standard QR code scams and how to avoid them, you will be less likely to become a target of them.

Don’t Skip OS Updates and Security PatchesYour device is one of your most effective security measures against QR scams. It has plenty of security features that protect your data from getting hacked easily.