Despite prior warnings about the risks, it appears that people are still utilizing QR codes without first verifying their validity.
According to recent research, only one in six people (16%) are aware they run the risk of being scammed, and over three quarters of British consumers (72%) just point and scan.
Although a QR code affixed to a wall or lamp post may not seem very legitimate, almost 25% of respondents acknowledged that they had scanned a sticker in a public setting, and 23% had done so in order to use free WiFi.
Thus, it would seem appropriate to reiterate the reasons why it’s not really a good idea. Adrianus Warmenhoven, a cybersecurity specialist at NordVPN, was asked to elaborate.
He warned that people could scan a dodgy QR code and have their phone infected without even realising it.
It could take months before problems appeared, by which time they would be unlikely to connect it to a QR code they absentmindedly pointed their phone at.
Even just opening a website from a QR code can cause problems, because as your device downloads and renders the code to show photos and gifs, there it is a chance for a ‘drive by’ attack from cyber criminals.
A QR code in a restaurant is probably just going to take you to the menu, but Adrianus points out that a criminal could easily print their own code on a sticker and cover up the original, or leave a printed card on tables.
‘It’s really cheap,’ he said. ‘I can create my own QR code stickers which have the exact format, and can put my own URL in.’
Criminals could initially direct the link to the correct website so as to avoid suspicion, but later change where it directs.
He said: ‘The biggest danger is that they’re opaque for people. There’s no other context than the place that you see them in.’
The biggest thing to remember is never to open a QR code link without checking the URL first, he said. Some phones do this automatically when you scan a code, such as iPhones which show the link in orange when you scan with the camera app. Google Lens also does this automatically.
But Adrianus says psychologically, even if we don’t recognise what it says, we’re likely to just click the link anyway because of the ‘sunk cost fallacy’ – thinking we’ve already gone to the trouble of scanning it, so may as well see it through.
And some suspicious links will be disguised by URL shorteners such as Bitly or TinyURL, which obscure the website you are clicking on.
By making a link shorter, they make it neater, which can be useful – but in the wrong context, they can be harmful and are a red flag if you can’t verify where they come from, especially as the website they direct to can be edited.
To get the data on people’s poor habits when it comes to QR code safety, NordVPN commissioned a nationally representative survey by Cint.
It comes after reports last year that drug dealers had been putting up QR codes near schools to drum up business, advertising ‘Get your delivery’ on phone boxes and bins.
Clearly, these would be the kinds of QR codes you should be careful of, as they are unlikely to link to law-abiding websites.
Adrianus points out that fake QR codes in restaurants, for example, are unlikely to be especially profitable for criminals because they must be left in person, requiring a degree of risk and investment they may not want.
Some QR codes are just sent via email, though, with the option to scan and connect your phone (such as to use WhatsApp Web, or join a Discord server).
If you do scan a dodgy QR code, your device could be infected with a virus or malware or you could fall victim to ‘quishing’.
As the name suggests, this is phishing, but done via QR, so an attempt to get you to reveal personal data which can then be used or sold by criminals.
On average, people are browsing the internet with over 100 unpatched vulnerabilities called ‘zero days’, Adrianus says.
If a criminal works out these security holes before they can be updated and fixed, that’s a potential way into your data.
Phones are not immune, even though the typical image of a virus is of something infecting a computer.
In fact, some phones are even more likely to be infected, due to poor updating. This is especially likely if they are old models, as phone manufacturers stop releasing updates for phones after a certain period of time.
Adrianus thinks that QR codes won’t be around for that much longer anyway, as they are a ‘transitional Band-Aid in connecting the physical world to the almost completely digital world’.
He said: ‘It’s not to panic people never to use a QR code. It’s more like, be aware and just treat them as you would any other link.
‘Just if you get an email from a random person with a link in it, that’s the same measure of trust and distrust that you should have.’
