Site navigation

Do You Know What Cybersecurity Threats Lurk Behind Those QR Codes?

David Paul


QR codes

We see them in all walks of life, but what are the cybersecurity concerns facing QR Codes? Lookout Senior Manager Hank Schless spoke to DIGIT about recognising QR Code phishing scams and how to avoid them.

There is an ever-increasing obsession with making our world ‘contactless’, particularly during the coronavirus pandemic where human interaction is limited.

The popularity of contactless technology has skyrocketed, and things like the Internet of Things (IoT) and QR codes are now the norm.

According to research by Ofcom, the number of IoT connections in the UK is predicted to grow from around 13m in 2016 to over 150m by 2024, while QR Codes are being seen everywhere from restaurant menus to bus stops.

In particular, the usage of these QR codes, an optical label containing information about an item or product to which it is attached, is continuing to rise.

With this increased use comes the inevitable risk of cybersecurity incidents. Hackers are seeing an opportunity to exploit these complex labels to steal your data.


According to a survey conducted by MobileIron, 71% of respondents said that they cannot differentiate between a malicious or legitimate QR code; they are the perfect place to hide phishing scams.

But what risks are we exposed to when we aimlessly scan a QR code at a bus stop? There is no way to tell where a code will direct someone once it has been scanned by our mobile devices, putting not only individual users but an organisation’s infrastructure at risk.

Hank Schless, Senior Manager of Security Solutions at Lookout, gave DIGIT the facts on QR code security and the ease at which phishing scams built into QR codes could catch you out.

How do QR codes work?

QR codes are machine-readable labels that contain information with a barcode-like image. Over the years, they’ve become a popular way to help people access websites, apps, and other resources on their smartphones and tablets.

They can be incredibly convenient since you don’t have to type in an entire URL and make things very accessible.

What has spiked the popularity of QR code usage?

Many apps that have a social aspect, such as Snapchat and Venmo, have adopted QR codes as a way to connect with friends on the app.

It’s a quick and easy way to add someone without having to search for a username and make sure you have the right person.

Cryptocurrency wallet apps also use QR codes to request payments from another person.

Have you seen a marked increase in QR code application during the Covid-19 pandemic?

During the pandemic, QR codes have provided a contactless way for businesses to drive interaction. Restaurants use QR codes to bring sit-down diners to their menu.

During the US election, there were signs up with QR codes on them that led you to voter registration sites.

What are some of the main security concerns of QR codes?

The main security concern behind QR codes is that anyone can create a code that leads to anything. Since QR codes are usually presented with context, it’s a natural place for a malicious actor to leverage social engineering in order to convince an individual that the end destination is legitimate.

A QR code could lead an individual to a malicious website where they share sensitive personal data or download a malicious app. When you scan a QR code, a banner pops up asking if you’d like to visit the site embedded in the code. Most people will tap that banner and go to the site without first observing the URL.

URL spoofing, which is the practice of making a malicious URL look similar to its legitimate counterpart, would be hard to spot as people quickly tap the banner to visit the site.

What can be done to bolster the cybersecurity of QR codes?

There’s not much that can be done about the security of the codes themselves, but individuals who choose to scan them can exercise greater caution in order to prevent a security incident.

What are the effects that QR phishing scams can have on individuals and organisations?

Just like with any other phishing campaign, an individual may mistakenly share login data with a threat actor who can then use those credentials to log into the corporate infrastructure.

If the code instructs a user to download a malicious app and they do so, it could allow the threat actor access to any corporate data or cloud services that the device is connected to.

Why/How are QR codes phishing scams so effective?

We are all conditioned to interact with our mobile devices in a certain way. Attackers know that we will oftentimes tap a notification or visit a site on our mobile devices without thinking twice.

Since QR codes are presented in the context of something, such as visiting a site to make sure you’re registered to vote, people may be more willing to trust that the destination site is secure.

Because of their simplified interface and smaller screens, it’s much harder to spot phishing sites on smartphones and tablets.

Many of the red flags we’re used to spotting on PCs, such as a spoofed URL or non-traditional page formatting, are easier to hide on mobile devices.

What is being done to combat these threats?

These codes are another example of how attackers are moving away from email and relying more on personal channels such as social media platforms and third-party messaging apps to deliver convincing phishing attacks to end-users.

Since QR codes are another way to provide a URL to an end-user, the key to combating them is to use a mobile security product with phishing protection.

What can someone do to protect themselves or their organisation from these scams?

The number one thing is for the individual to slow down and take a minute to observe the URL they’re visiting. If the URL itself seems to align with the context it’s presented in, then the next step is to carefully observe the page you visit.

It’s a security best practice to never download an app from outside the iOS App Store or Google Play Store.

Apps on third party stores don’t have to go through the same security checks and therefore could have malicious capabilities hidden in them.

Join us at Scot-Secure Virtual Summit.

Best-practice cyber resilience and implementing effective security measures will be a key area of discussion at the upcoming Scot-Secure Virtual Summit 2021 on the 24th and 25th of March.

Hear from leading experts from across the cybersecurity landscape and explore the crucial issues facing frontline practitioners.

Register your free place now at

David Paul

Staff Writer, DIGIT

Latest News

Recruitment Technology
Artificial Intelligence News
Business Recruitment
%d bloggers like this: