News, Security

Before you scan this QR code, consider where it will send you

Brendyn Lotz

13th January 2022

Originally used in vehicle manufacturing, QR codes have become a convenient way to share a link without needing a person to type anything into their web browser.

While a QR code could send you to a website to buy tickets to a live show or help you find a user on social media, the solution can also be used by cybercriminals and therefore, caution is necessary.

“The risk is that, while smartphones can read the QR code, humans cannot, so we have no idea where the code will direct us to. We could easily be clicking on an infected link, a spoof website, or even just paying the wrong vendor,” explains managing director at Galix, Simeon Tassev.

One of the problems with QR codes is that they are very easy to create and as such, anybody could direct you to any website or malicious file they choose.

This has become even more of an issue with the advent of contactless payment solutions that rely on QR codes.

“For example, at a market, vendors will have QR codes to scan and pay, but they often have strange names, or multiple businesses use the same payment application code. This makes it very easy for a malicious actor to replace the real code with their own, effectively stealing money from these vendors. Similarly, QR codes for downloading menus, entering competitions or other marketing exercises, can easily be replaced by fake codes that look real, but lead people to infected links or spoof sites where personal information is voluntarily entered and then stolen,” explains Tassev.

Some QR scanners will generate a preview of the link and request confirmation before visiting but this is hit or miss. When scanning the QR code in the image above, our software simply states that the link directs to YouTube but provides no further information.

So what should you do if you’re paying somebody using a QR code and want to verify you are paying them?

Tassev’s advice is to confirm with the vendor that you’re paying the right person. In addition, try to make QR payments directly through official apps or websites rather than trusting something you can’t see for yourself.

“Have endpoint security on your devices to protect you from malicious content. Most of all, be mindful. QR codes are fun, easy and convenient, but they are vulnerable to abuse, and we need to be aware. You wouldn’t just click a link in an email without checking, so why scan a QR code without verifying it first,” he concludes.

About Author

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.