Take the Paper Menu: Avoiding QR Code Security Risks

Back when COVID-19 science was in its infancy, it was widely believed that the virus could be transmitted through surfaces. Scanning a QR code, especially in restaurants where they were offered in lieu of paper menus, seemed like a sensible safety imperative. But the science has moved on, and criminals have moved in, too, planting malware in QR codes that could access data and redirect payments.

The paper menu, in 2022, may well be the safest option.

QR (or “Quick Response”) codes are intended to direct a user to a website by the expedient of a smartphone camera scan rather than typing in a lengthy website address. Scanning the code takes the user directly to the website’s landing page. But the site’s policies on sharing your information—including your location and the IP address of your device—with advertisers and others won’t appear when you scan the code, as would be the case if you went to the website directly on your browser.

The convenience of a QR code provides the opportunity for mischief, or worse. Accessing the code may give the code providers access to your data, including your contacts. If you use the code to make a purchase, the site may instruct you to open your banking app and enter your name and password, which the site providers will retain and can use to drain your account.

In January 2022, the FBI issued a warning entitled “Cybercriminals Tampering with QR Codes to Steal Victim Funds.” The FBI noted, “…cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use…a cybercriminal can replace the intended code with a tampered QR code and redirect the sender’s payment for cybercriminal use.”

As the FBI also noted, “QR codes are not malicious in nature,” but like all other aspects of technology, a bit of cybersecurity caution and hygiene can reduce the risk of using these codes:

• Employ the same healthy skepticism you use to avoid phishing scams since QR codes can, like malware-infested links or attachments, introduce spyware or other data-stealing code into your device. Only scan a QR code from a trusted source and don’t input personal information if requested by the site to which you have been directed.
• Make sure that the website to which the QR code has directed you is authentic and what you expected. Malicious QR codes can redirect you to a scammer’s website where your data and login credentials can be stolen or sold to unauthorized third parties. To paraphrase the late Ronald Reagan: Don’t trust, always verify.
• A QR code on a sticker that has been placed on a poster or over another code is a bright red flag. Avoid it. This is especially true if the sticker is placed on or near an ATM.
• Do not provide authorization to make a payment through your banking app, and certainly do not provide your password. If a payment is required, verify that the website is authentic, that it’s the one you intended to visit, and then make the payment directly to that site using your browser to navigate to the site directly. It’s more time-consuming than paying via the QR code, but safer.

QR codes are here to stay, and their use is increasing; a QR code even appeared in an ad during the Super Bowl in February 2022. Healthy skepticism in the use of QR codes can go a long way toward increasing your digital safety profile. And, given the advances in the knowledge of COVID-19 transmissibility, it may be advisable to opt for the old-fashioned (but safe and reliable) paper menu in restaurants and bars.

If you have any further questions regarding cybersecurity and data protection, please contact Kenneth N. Rashbaum.