Scanning That QR Code Could Be More Dangerous Than You Realize

It's safer to find a link instead

  • QR codes are as dangerous as malicious links in emails. 
  • These codes contain links that can open apps, start phone calls, share your location, and more. 
  • Protect yourself by avoiding QR codes, and using a link instead.
A cafe storefront with a QR code printed on white paper stuck in the window.

Rebecca Hausner / Unsplash

Instead of picking up a filthy restaurant menu with our bare hands, we've gotten used to the hygiene of QR codes. But those can be a little dirtier and a lot more dangerous than you might think. 

In 2015, a German ketchup lover scanned the QR code on their bottle of Heinz and got sent straight to a porn site. That could be embarrassing, but there are worse consequences for blindly scanning QR codes. According to password manager service 1Password, QR codes can trigger phone calls, betray your location, start a phone call that reveals your caller ID, and more. So what can we do about it?

"We've all become conditioned to scanning a QR code to browse a menu or even pay our bills, and cybercriminals are now capitalizing on this through the use of malicious QR codes," Craig Lurey, cybersecurity expert and co-founder of Keeper Security, told Lifewire via email. "So what may look like a code to pay for a parking meter, and the site will look incredibly legitimate, you're actually entering your credit card details directly into a thief's database."

Bad Links

A QR code is just a shortcut to a link that can be read by your phone's camera and then decoded. We've all been trained never to click a link in an email, even if it looks legit. But QR code links are just as dangerous and have the added problem that you can't see where they lead until you scan them. 

When we think of links, we think of URLs that take us to websites. And in the case of the Heinz ketchup porn hack, that was the problem—Heinz let the domain name lapse, and somebody else bought it, then loaded it with dirty pictures. URLs are dangerous, as Lurey's parking meter phishing scam illustrates, but links can do much more. 

"One of the biggest problems is that, unlike websites, QR links to shortened URLs rarely identify the business name," Monti Knode, former commander of the USAF 67th Cyberspace Operations Group, told Lifewire via email. "A person clicks on it and presumes it will provide a restaurant menu, conference agenda, or even a charity link, and it very well could be a spoofed site or a malicious link that downloads code to your computer or mobile device."

On our phones, links can trigger apps. A Google Maps link opens in the map app, for example. Links can also trigger phone calls, add contacts to your address book (and therefore make future calls and emails seem to be legitimate), they can share your location, and more. 

One ingenious scam involves a ne'er-do-well modifying an existing, legitimate QR code and using that to redirect victims. Advertiser Robert Barrows shared a story about his Video Enhanced Gravemarker.

"I realized that there could be several problems with QR codes on tombstones," Barrows told Lifewire via email. "What happens if the ink on the QR code decays over time? Will you wind up linking to a totally different website? What happens if someone changes the QR code with a marker?"

The same thing could happen with advertising posters, menus, or any QR code. 

Someone using a smart phone to scan a QR Code for a restaurant menu.

LeoPatrizi / Getty Images

Protecting Yourself

Step one in protecting yourself is to be aware. Never scan a QR code unless you are certain that it is safe. Which really means, never scan a QR code ever.

But if you do have to scan to check in to a restaurant or bar or view a menu, first make sure that the code hasn't been tampered with or covered with a sticker of another QR code. One tip is to switch off automatic QR code scanning in your phone's settings, if possible. But really, the best protection is to be careful. 

"When possible, just like with potential phishing links, the recommendations are to go directly to the provider's website to retrieve the information you are looking for," Dave Cundiff, CISO of cybersecurity company Cyvatar, told Lifewire via email. "In most instances, the information is web-hosted and accessible directly on the provider's website somewhere."

If the link isn't available, don't scan it. It's way less convenient but not as inconvenient as speaking days or weeks dealing with the fallout of a malicious link.

Was this page helpful?