What to Know
- Use a QR code reader that shows the decoded text before opening the site and checks it against a database of malicious links.
- When possible, feel the physical QR code to make certain it's not a sticker with malicious code placed over the actual code.
This article explains how to protect yourself from malicious QR codes, high-tech multidimensional barcodes that you can scan and decode with your smartphone.
How QR Codes Work
In many cases, the decoded message in the QR code is a web link. QR codes save users the hassle of writing down a web address or other information while they’re out and about. A quick scan with your phone and a QR reader app is all you need, no fumbling with writing a website or phone number on a napkin or something.
Some advertisers place QR codes on billboards, buildings, floor tiles, or anywhere else they can think of, hoping to make someone curious enough to scan the QR code. Users find out if it's a web link, coupon, or a code for free products or some other goodie. Many people scan any code they find in the hope that it's associated with a prize of some sort.
How Cybercriminals Use QR Codes
Most scanning apps recognize the fact that the decoded message is a link and automatically launch your smartphone's web browser and open the link. While doing so saves you the hassle of having to type the web address into your phone's small keyboard, it is also the point where the bad guys enter the picture.
Criminals have discovered that they can use QR codes to infect a smartphone with malware, trick you into visiting a phishing site, or steal information directly from your mobile device.
A criminal can encode a malicious payload or web address into the QR code format. They use free encoding tools found on the internet, print the QR code on adhesive paper, and affix their malicious QR code over top of a legitimate one (or e-mail it to you). Since the QR encoding is not human readable, the victim who scans the malicious QR code won't know they scanned a malicious link until it's too late.
Use Third-party Apps to Vet QR Codes
There are many QR code readers out there. Some are more secure than others. Several vendors are aware of the possibility of malicious QR codes and have taken measures to prevent users from being duped by harmful codes.
Norton Snap is a QR code reader available for both iPhone and Android. After Norton Snap scans a code, the content is shown to the user before the link is visited. This way, the user can decide to visit the website or not. Norton also takes the QR code and checks it against a database of malicious links to let the user know if it is a known bad site or not.
Enable the QR Code Review
Before installing a QR code reader app on your smartphone, check to see what security features it offers. Make sure that it will allow inspection of the decoded text before opening up the code in a browser or other targeted application. If it doesn't allow this capability, find one that does.
Inspect the QR Code to Make Sure It's Not a Sticker
While some websites contain QR codes, the majority of QR Codes are found in the real world. You might see one on a store display or the side of a coffee cup.
Before you scan any code you find, feel it (if possible) to make sure that it is not a sticker placed over the real code. If you find a malicious QR code, report it to the owner of the business where you found it.