QR Code Security: Risks & How to Stay Safe

TL;DR

Yes, a QR code can steal your data or lead you to harmful websites. It’s not the QR code itself that’s dangerous, but where it takes you. Be cautious about scanning codes from unknown sources and check the URL before proceeding.

How QR Codes Can Be Risky

QR codes are essentially shortcuts – they store a web address (URL). When you scan one, your phone automatically opens that link. This means a malicious actor can hide a dangerous website behind an innocent-looking code. Here’s how:

• Phishing Websites: A QR code could lead to a fake login page designed to steal your username and password.
• Malware Downloads: Some codes might direct you to download harmful software onto your phone.
• Unwanted Redirects: You could be sent to spam websites or pages filled with unwanted ads.

How to Stay Safe: A Step-by-Step Guide

1. Only Scan Trusted Codes: Be very careful about scanning QR codes from sources you don’t recognise. This includes posters in public places, flyers, or messages from unknown contacts.
2. Preview the URL (If Possible): Some phones show a preview of the link before opening it. Always check this preview! If it looks suspicious, don’t proceed.

   Android: Many QR code scanners will display the full URL at the bottom of the screen before redirecting you. Look for anything unusual.

   iOS (iPhone): iOS 17 and later shows a preview when scanning. Older versions may not, so be extra cautious.

3. Use a QR Code Scanner App with Preview: If your phone’s built-in scanner doesn’t show a preview, download a reputable QR code scanner app that does. There are many free options available in the Apple App Store and Google Play Store. Look for apps with good reviews and privacy policies.

4. Check the Website Address: Once the website opens, look at the URL in your browser’s address bar. Does it match what you expected? Be wary of:
   • Typos or Misspellings: example.com vs examp1e.com
   • Unusual Domain Names: A legitimate bank website will have a proper domain name, not something strange or unrelated.
   • ‘http’ instead of ‘https’: ‘https’ indicates a secure connection; ‘http’ is less secure.
5. Be Wary of Requests for Permissions: If a website asks for unusual permissions (like access to your contacts or location) immediately after scanning the code, be very cautious.
6. Keep Your Phone Updated: Software updates often include security improvements that can help protect you from QR code-based attacks.

   Android: Go to Settings > System > System update.

   iOS (iPhone): Go to Settings > General > Software Update.

7. Use a Cybersecurity App: Consider installing a cybersecurity app on your phone. These apps can scan websites and files for malware and other threats.

What if I Accidentally Scan a Bad Code?

1. Disconnect from the Internet: Turn off Wi-Fi and mobile data to prevent further communication with any malicious website.
2. Clear Your Browser History & Cache: This will remove potentially harmful cookies and temporary files.

   Chrome (Android/iOS): Open Chrome, tap the three dots menu, go to History > Clear browsing data.

3. Run a Malware Scan: Use your cybersecurity app to scan your phone for malware.
4. Change Your Passwords: If you entered any login details after scanning the code, change those passwords immediately.