QR Codes … A Security Risk?

Published On: 6 October 2021By
IT Services
Contact Us
Back to News Hub
News & Blogs | Confidence IT

In this tech insight, we examine QR codes’ uses, review some well-known security risks, and outline what you can do to protect yourself from malicious QR codes.

Quick Response (QR) Codes

A QR code is a machine-readable (e.g., by smartphones) matrix barcode invented in 1994 by the Japanese Toyota subsidiary automotive company Denso Wave to track vehicles and parts during the manufacturing process. A QR code stores information as a series of pixels in a square grid that can be read in two directions: top to bottom and right to left.

How They Work

The three large squares outside the QR code show that everything inside the square is a QR code. Patterns in QR codes represent binary codes that can be interpreted to reveal the data. The codes can be read using built-in QR scanners or QR apps on smartphones (via the camera), iPads, tablets, and other devices.


QR codes can store website URLs, phone numbers, or up to 4,000 characters of text. These codes have multiple uses, including sales and marketing (e.g. sending information about a business or product) or as a menu (for example) to be sent to a user’s phone. QR codes are also used for linking directly to download an app (Apple App Store or Google Play), postal services tracking, education, authenticating online accounts and verifying login details, accessing Wi-Fi (storing encryption details) sending and receiving payment information. QR codes have also recently been used in coronavirus tracing (apps).

Are They Safe?

QR codes themselves can’t be hacked and do not collect personally identifiable information, but they do collect other data such as location, the number of times a code has been scanned (at what time), and what operating system (iPhone or Android) is being used. Although this is generally a safe technology, consumer watchdog Which? says of QR codes, “not all of them are safe.”


Research (e.g. observations by the Unit 42 threat intelligence team at Palo Alto Networks) indicates that the proliferation of QR codes, particularly during the pandemic (suitable for ‘no-contact’), has meant that cybercriminals are discussing and exploring ways to exploit them.

Some of the risks associated with QR codes include :

– humans can’t read QR codes, so they cannot see any potential risks just by looking at the code.

– Hackers can create malicious QR codes which direct users to fake websites/phishing websites that capture their personal data.

– Attackers can embed malicious URLs (containing custom malware) into a QR code, which could steal data from a mobile device when scanned.

– Malicious QR codes can add contacts or compose emails on a user’s device, posing security threats.

– Threat actors could present a malicious QR code with the promise of free internet access, which could link to an unsafe Wi-Fi network where hackers could eavesdrop, intercept data, and steal identifiable information.

– Malicious QR codes can be used to cover up/replace legitimate QR codes.


Ways that you can protect yourself from threats posed by the use of malicious QR codes include:

– Only download QR scanning apps from trusted sources, e.g., Apple’s App Store or the Google Play Store, and make sure that the app you download is backed by plenty of positive reviews.

– Use a QR scanner that checks scanned links to ensure they are safe before submitting any information.

– Check to ensure that the QR code you’re about to scan is being presented to you by a reputable source.

– Don’t scan a QR code if you’re unsure where it will lead, and preview the website and domain to be sure.

What Does This Mean For Your Business?

QR codes are a convenient, fast, and flexible way to present data, but criminals and cybercriminals are always looking for new ways to operate scams such as phishing, and QR codes represent a possible new scamming opportunity.

Businesses can ensure that their QR codes haven’t been tampered with or replaced with malicious versions by regularly carrying out integrity checks on their sites and apps (e.g. by scanning the code to check if the link within the QR code is correct). Businesses should also educate staff about how cyber criminals can use QR codes. In contrast, as individuals, we should always use QR scanning apps from reputable sources and be cautious about scanning QR codes in unfamiliar locations and situations. It is also sensible to avoid using public Wi-Fi networks for business generally (without a VPN) and to prevent any ‘free Internet’ offers where there’s a QR code.

This Article has been Republished with Permission from MKLINK.

Related posts

Go to Top