QR Codes – Consumer Convenience or Fraudulent Contrivance?

By: Michael Ferragamo, Vy Nguyen, and Richard W. Goldberg

During the halftime show of this year’s Super Bowl, a floating QR code took a star turn in a prominently placed advertisement. That ad, which was run by cryptocurrency exchange platform Coinbase, consisted of nothing more than a multi-colored QR code slowly bouncing across the television screen for almost a minute without any other identifying information or attribution. At the ad’s end, Coinbase’s name and a link to its website briefly appeared. Viewers could use their cellphone cameras to see where the QR code led or patiently wait and hope that the ad would explain what was going on.

So many people reportedly followed the link from the QR code that the resulting traffic overwhelmed and crashed the Coinbase website landing page. The convenience of the code clearly worked for ad viewers and Coinbase. It appears that while QR codes may be a welcome convenience, they may also be a potential tool for the commission of fraud. It is increasingly important, therefore, that the public be sufficiently educated regarding the risks presented by these codes.

What is a QR code?

Quick Response codes, or QR codes, were developed in 1994 and have become increasingly prevalent in everyday use, particularly throughout the global pandemic, to access a wide range and variety of information, such as restaurant menus, or to join Wi-Fi networks or log into programs. A QR code is, in sum, a type of scannable barcode that can store various types of information including links to the Internet. That information is stored within the code in such a way that the information cannot be read without a device capable of decoding the information. The code can be read using an image processing device like the cameras commonly found in cellphones. If the device is internet-connected, then the scanned information within that source QR code can direct the user to a specific website destination if the user chooses to “click through” to it.

How Can a QR Code Be Dangerous?

The risk in blindly following a link in a QR code is that it is akin to clicking on a malicious link found in a phishing or suspicious email. In both situations, the destination website can contain exploitable code like JavaScript, which can be programmed to execute malicious programs on the user’s system. Moreover, mobile devices like cellphones are at risk from maliciously designed QR codes, which can trigger code within the host device to activate cameras, GPS tracking, and other features of the phone. While companies have gone to tremendous efforts to educate employees on the danger of phishing emails, there appears to be little effort made to educate employees on the danger of QR codes.

Examples of QR code scams include instances where the malicious actors printed and overlaid fake QR codes that then prompted users to “pay” for the use of a bike sharing system; or where the actors installed fake QR codes at parking meters; or by simply replacing the intended link with a bogus login page in order to steal credentials.

Warnings about these exploits have been recently highlighted by the Federal Bureau of Investigation concerning threat actors tampering with QR codes.

QR Code Safe Handling Practices

While the risks discussed above might cause some to think twice the next time they see that black and white QR square, users can follow these best practices to mitigate the risks associated with QR codes:

  • Assess the situation: Is this a place you would expect QR codes to be used? Are there alternative methods to access this information? Where possible, it may be safer to use the information you can read in clear text and bypass the QR codes altogether to access the desired site or information.
  • Preview before clicking: When scanning QR codes with the built-in camera app, most modern mobile devices provide a preview of the destination link in the QR code. Carefully review these to ensure that the link looks genuine and that the displayed link is one that is expected.
  • Install security updates: Ensure that recent operating system or security updates have been applied to any device used to access a QR code.
  • Only exchange information or money with trusted destinations: Use QR codes to make payments only when you are transacting directly with trusted merchants or service providers and the receiving site has been independently verified by the sender.
  • Implement and attend training: Add training on the dangers posed by QR codes to cybersecurity training.

For more information on this topic, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.

< Previous Post Next Post >


Related Attorneys

Find an Attorney

Each of the Firm's offices include partners, associates and a professional staff dedicated to meeting the challenge of providing the firm's clients with extraordinary service.