Are QR codes safe?

Wait a second. Did you arrive at this article by scanning one of our QR codes?

If so, you might be a little uneasy with the headline of this article. But don't worry, you can trust us - we're a mobile app security company after all.

But not all QR codes are safe. Read on and we'll explain why you probably shouldn't scan every QR code you come across.

Some bemoan the use of words like “renaissance” or “comeback” when they read about the QR code given that it never really went away in many places. 

In China, for example, more than 90% of digital payments are made on WeChat and AliPay which depend on digital wallets and QR codes. 

But there’s no denying that in the West the boom in QR code usage coincided with the pandemic. 

In the spring and summer of 2020, they sprang up outside bars and restaurants to help us order while maintaining a safe social distance. Since then they’ve appeared almost everywhere - on digital tickets, promotions, and community event sign ups. 

e-Marketer predicts that the number of US smartphone users scanning a QR code will increase from 83.4 million in 2022 to 99.5 million in 2025.   

It’s easy to believe stats like this when you see QR codes on leaflets in cafes and even pinned to walls and lampposts. The QR code has definitely gone mainstream.

And because the pandemic trained us into thinking that scanning them is perfectly normal, people are now happy to do so in a variety of settings. Mostly without thinking about the security implications whatsoever.

This was aptly demonstrated during the 2022 SuperBowl, when the cryptocurrency exchange company, Coinbase, ran an advert. In it, a QR code floated around viewers’ TV screens and, without thinking much about it, millions of people reached for their phones. 

Many lauded the ad as a great success. Coinbase themselves claimed that they received 20 million hits in a single minute. 

But others expressed caution. 

In an article in The Next Web, Callum Booth argues the ad might have set a dangerous precedent. The lack of context could potentially have furthered the belief that it’s perfectly normal for us to go around scanning every random QR code that we come across.

Around the same time the QR code began to be seen more widely, people were also getting used to phishing texts pinging on their phones. Fake messages claiming to be from banks, energy suppliers, and even health centers offering covid tests. 

While it isn’t always possible to tell whether the links in these messages are genuine or not, sometimes it is. A company name might be misspelt, for example. The kind of thing that you could miss at first glance (hence why a lot of these phishing messages succeed) but not the second time. 

With a QR code, on the other hand, it’s much harder to know whether you’re about to be taken to a genuine website or a fraudulent one. All you see to begin with is a jumbled pattern of black and white blocks. Once you scan it, a message does pop up telling you where the QR code is sending you, but most people simply click through without reading this. 

And so even more than with normal links - which we’re still getting used to being sceptical of - you’re completely putting your trust in the people behind the code. 

As we wrote in an article about the rise of phishing messages, we tend to be a lot more vulnerable on our phones. There are a number of reasons for this, but perhaps the most important one is that we’re more relaxed while we use them. In recent years the device has become a kind of second home we can escape to occasionally. A place to catch up with friends and family.

In the case of QR codes, examples of when you’ve used one could include buying a round of drinks for friends, or arriving at a concert venue to see your favorite band. In other words, innocent, fun, happy memories.

They also know that we act in the moment on our phones and don’t question things as much as we might when we sit with our laptops. 

Hackers have quickly identified the cryptocurrency space as a key industry to exploit the vulnerabilities of the QR code. That’s because they’re commonly used to help mobile devices to quickly locate virtual wallet addresses to transfer currencies. But as QR codes are easy to create, attackers can trick people into transferring funds to their wallet, instead.

A QR code can also provide instructions to automatically order a phone to connect to a wifi connection. This is dangerous because it might be a very insecure network with sniffing tools set up so that all the traffic between the phone and a server can be recorded. 

There are also privacy concerns with QR codes that the average user is unaware of. After scanning one, people are often asked to enter their personal details either on a website or in an app. This makes it a lot easier for businesses to track and target customers with personalized offers further down the line.

But as we often say here at Licel, privacy and security are connected. If you get into the habit of scanning QR codes and sharing your personal credentials, you can’t always be sure how robustly those details will be protected by third parties.

To conclude, we’re not saying you should never scan a QR code. But you should definitely be cautious about scanning them. As with many of your daily smartphone interactions, there are risks lurking under the surface.

A lot of the advice you hear about phishing scams hold true for QR code offers that look too good to be true. Remember, you can always go directly to the company’s website yourself rather than scanning through the QR code.

Here are our tips for safe QR code scanning: