QR Codes

Is that QR safe?

QR codes have been around for a long time, but we've seen them become more useful now as an easy way to share links and websites with each other. Cyber-attacks using QR codes can occur both through email and in the real world.

What is a QR code?

The “QR” in QR code stands for “Quick Response.” It is a type of bar code that uses a series of squares instead of vertical lines. They are useful for quickly sharing information – especially links to web pages.

You can try it by viewing this page on a desktop or laptop and using your phone's camera app to scan the code.


QR code that leads to Kent State's website.

Please take note of the process for your specific device. Whenever you scan a QR code, pay special attention to the contents of the code before you visit the link.

Remember that QR codes are simply ways to store text in the form of squares instead of regular letters. They are most commonly used for sharing web links. The QR code here simply translates to “Hello there!” and does not contain an internet link.

QR code that says "Hello there!"

How malicious QR codes are spread

These days, cyber criminals use QR codes to abuse the convenience they provide.

It is most common to see QR codes with bad links sent through email. The attackers count on your curiosity and short-term reaction to seeing a QR code. The intention is for you to scan the code as it is displayed on your computer screen and visit the malicious website on your phone. This tactic is used to bypass mail filters that may block messages containing dangerous links. From here, the attackers will either try to trick you into signing into a fake login page, or the QR code will be set up to attempt to automatically install malware on your device.

Malicious QR codes can be spread in the physical world too. Always be cautious when scanning QR codes when you’re out and about.

QR codes in phishing emails

Scammers have been known to incorporate QR codes in their phishing attempts. They do this because it allows them to bypass mail filters that would otherwise block emails that contain malicious URLs.

This may come in the form of an email from your bank saying that one of your payments has failed, and you need to download or update their app to resolve the issue. Scammers have also tried the familiar “password expired” and “mailbox full” phishing attempts, but with QR codes. Instead of “Click HERE to sign in,” you may see “Scan this code to sign in.”

How to avoid malicious QR codes

The best way to protect yourself is to understand and treat QR codes just like you would treat an unknown or unfamiliar web link. Get familiar with the way that your device handles QR scanning. Feel free to practice on the codes on this webpage! If you are able to, check the contents of the code before you visit the website. This is the equivalent of hovering over a link with your cursor to check its contents before you click.

Tips to stay safe

  • Check the URL before you visit the site
  • Always be cautious when providing information to a site you navigated to from a QR code
  • Do not download an app from a QR code unless you can verify that it came from your phone’s official app store
  • It is safest to use your phone’s built-in QR code scanner instead of unofficial ones
  • Always be cautious of requests for payment demanded to be completed through a QR code

Example

Below is an example of a phishing email that uses a QR code to hide its malicious link. Take notice of the sender's email address and the repeated threats of imminent account deletion used in the message. These are two red flags that suggest that the email is a phish.

Example of a phishing email using a malicious QR code.