We’ve been warned before about the dangers of using QR codes without checking them first – but it seems that people are still doing it.
New research shows that almost three quarters of Brits (72%) just point and scan, while only one in six people (16%) are aware they risk being scammed.
A QR code stuck on a wall or lamp post doesn’t scream legitimacy, but nearly a quarter admitted scanning a sticker in a public place, while 23% of people had done so to access public WiFi.
So it seems a good time for a reminder about why it’s not exactly a great idea. We asked cybersecurity expert Adrianus Warmenhoven from NordVPN to explain.
He warned that people could scan a dodgy QR code and have their phone infected without even realising it.
It could take months before problems appeared, by which time they would be unlikely to connect it to a QR code they absentmindedly pointed their phone at.
Even just opening a website from a QR code can cause problems, because as your device downloads and renders the code to show photos and gifs, there it is a chance for a ‘drive by’ attack from cyber criminals.
A QR code in a restaurant is probably just going to take you to the menu, but Adrianus points out that a criminal could easily print their own code on a sticker and cover up the original, or leave a printed card on tables.
‘It’s really cheap,’ he said. ‘I can create my own QR code stickers which have the exact format, and can put my own URL in.’
Criminals could initially direct the link to the correct website so as to avoid suspicion, but later change where it directs.
He said: ‘The biggest danger is that they’re opaque for people. There’s no other context than the place that you see them in.’
The biggest thing to remember is never to open a QR code link without checking the URL first, he said. Some phones do this automatically when you scan a code, such as iPhones which show the link in orange when you scan with the camera app. Google Lens also does this automatically.
But Adrianus says psychologically, even if we don’t recognise what it says, we’re likely to just click the link anyway because of the ‘sunk cost fallacy’ – thinking we’ve already gone to the trouble of scanning it, so may as well see it through.
And some suspicious links will be disguised by URL shorteners such as Bitly or TinyURL, which obscure the website you are clicking on.
By making a link shorter, they make it neater, which can be useful – but in the wrong context, they can be harmful and are a red flag if you can’t verify where they come from, especially as the website they direct to can be edited.
To get the data on people’s poor habits when it comes to QR code safety, NordVPN commissioned a nationally representative survey by Cint.
It comes after reports last year that drug dealers had been putting up QR codes near schools to drum up business, advertising ‘Get your delivery’ on phone boxes and bins.
Clearly, these would be the kinds of QR codes you should be careful of, as they are unlikely to link to law-abiding websites.
Adrianus points out that fake QR codes in restaurants, for example, are unlikely to be especially profitable for criminals because they must be left in person, requiring a degree of risk and investment they may not want.
Some QR codes are just sent via email, though, with the option to scan and connect your phone (such as to use WhatsApp Web, or join a Discord server).
If you do scan a dodgy QR code, your device could be infected with a virus or malware or you could fall victim to ‘quishing’.
As the name suggests, this is phishing, but done via QR, so an attempt to get you to reveal personal data which can then be used or sold by criminals.
On average, people are browsing the internet with over 100 unpatched vulnerabilities called ‘zero days’, Adrianus says.
If a criminal works out these security holes before they can be updated and fixed, that’s a potential way into your data.
Phones are not immune, even though the typical image of a virus is of something infecting a computer.
In fact, some phones are even more likely to be infected, due to poor updating. This is especially likely if they are old models, as phone manufacturers stop releasing updates for phones after a certain period of time.
Adrianus thinks that QR codes won’t be around for that much longer anyway, as they are a ‘transitional Band-Aid in connecting the physical world to the almost completely digital world’.
He said: ‘It’s not to panic people never to use a QR code. It’s more like, be aware and just treat them as you would any other link.
‘Just if you get an email from a random person with a link in it, that’s the same measure of trust and distrust that you should have.’
MORE : Russia ranked biggest cybercrime threat to rest of the world
MORE : Who are the hackers threatening to leak NHS patient records?
MORE : Shadowy hacking group threatens to release NHS patients’ data
Get your need-to-know
latest news, feel-good stories, analysis and more
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.