If you are like most people, you scanned a Quick Response (QR) code not long ago. Human beings tend to be curious by nature and often can't resist the temptation to check out what’s on the other side of the black and white grid. And since the pandemic hit in 2020, QR codes have become our daily keys to freedom.  

Ten years ago, about 62% of Australians didn’t know what QR Codes were or how to use them. In 2021, the term QR Code was searched 60,000 times in Australia, with QR Codes being leveraged in almost every industry. The use cases for QR codes are increasing, we can now use them to view menus at a restaurant, to buy a take-away coffee, browse a retail store, or see our doctor. Most recently they’ve been instrumental to reducing the spread of COVID-19 by collecting customer contact details required by State and Territory governments for contact tracing - providIing a contactless alternative to pen and paper.  

Looking overseas, a September 2020 study by MobileIron found that 86% of respondents scanned a QR code over the previous year. And another survey by Ivanti of 4,157 consumers across China, France, Germany, Japan, the U.K. and the U.S, found that a further 57% of respondents have increased their QR code usage since mid-March 2020. 

What are QR codes? 

QR codes have been around since the mid-1990s and are convenient tools to quickly jump on a website, read a pdf, or watch a video. They allow consumers to book events, listen to a podcast, or claim a free product within seconds. They can also add a subscriber's details to your contact list, dial a specific number, or send a text message to a specific recipient. It was an Engineer, called Hara Masahiro, who first introduced them and realised that QR Codes can pack 200 times more information within their configurations than regular barcodes. 

QR codes, a favourite playground for hackers 

Unfortunately, the convenience of using QR codes also carries risks. If you scan a QR code that directs you to a non-government website requesting your name, phone number and email address, for example, you could give away personal contact information to be used for marketing or criminal purposes. 

Scanning a QR code is a matter of seconds, however, most QR code users do not consider or are simply not aware of the fact that each scan might direct them to a suspicious website or trigger unexpected actions either on their personal devices or on their company-owned mobiles or tablets. 

Truth is that QR codes have become a favourite playground for hackers. As easy as they are to create by signing up to a free QR code generator, as easy they are to crack. Hackers create adhesive labels with malicious QR codes and paste these over legitimate ones, for example, allowing them to capture payment information from the transaction or even initiate a payment without the user's knowledge or interaction. 

But it’s not just about payment information. Malicious QR codes can also trigger malware or phishing attacks. Motivations range from co-opting mobile accounts to compromising corporate apps including all their data. In 2020 alone, hackers running QR code scams collectively stole roughly $18.5 million from unsuspecting victims. 

In saying that, using an app developed by a State or Territory government, such as Service NSW, is considered a lower risk.  

Best practices using QR codes 

Here are some general guidelines from a user perspective on what to remember when using QR codes. 

  • Never scan a randomly found QR code.
  • Be suspicious if, after scanning a QR code, a password or login information is requested. 
  • Do not scan QR codes received in emails unless you know they are legitimate. 
  • Do not scan a QR code if it is printed on a label and applied atop another QR code. Check with the owner of the business before scanning – it could be malicious. 
  • If a QR code triggers a bit.ly URL, check the link by adding a plus symbol (+) at the end. This will direct you to a page displaying the link’s information so you can determine if it’s legitimate or not. 

The Australian Cyber Security Center additionally suggests: 

  • Only scanning QR codes that are located in prominent positions in businesses. 
  • Look for prompts on your smartphone indicating actions that the QR code will perform. 
  • Cancel or terminate an unwanted action triggered by scanning the QR code (for example, closing a web browser that directs to an unknown website or hanging up if an unexpected phone call is initiated). 
  • Ask the business for their privacy policy details to check how your personal contact information will be collected, stored, used and deleted.
  • Provide only the minimum amount of personal contact information required by the State or Territory government (name, email or phone number). 

Lastly, the best protection is to have security software installed on your mobile device that will help detect and remediate malicious codes and threats. 

Zero Trust approach for enterprises 

For enterprises, education is key. All employees should be aware of possible QR code threats and have access to information about how to prevent them. It is also advisable to explain the personal and business implications of not adhering to the company guidelines and regulations. At The Missing Link, we recommend adopting a Zero Trust approach to security, which means restricting devices that can be used to access the organisation’s network and data. 

For further information on Zero Trust, listen to our podcast series or contact us.  


If you liked this article, you may also like:

Cyber Security Operations: it's not not about the tools alone

How cyber security impacts your SEO strategy

The challenges of running a modern day SOC


Taylor Cheetham

Campaign Manager