Back when COVID-19 science was in its infancy, it was widely believed that the virus could be transmitted through surfaces. Scanning a QR code, especially in restaurants where they were offered in lieu of paper menus, seemed like a sensible safety imperative. But the science has moved on, and criminals have moved in, too, planting malware in QR codes that could access data and redirect payments.
The paper menu, in 2022, may well be the safest option.
QR (or “Quick Response”) codes are intended to direct a user to a website by the expedient of a smartphone camera scan rather than typing in a lengthy website address. Scanning the code takes the user directly to the website’s landing page. But the site’s policies on sharing your information—including your location and the IP address of your device—with advertisers and others won’t appear when you scan the code, as would be the case if you went to the website directly on your browser.
The convenience of a QR code provides the opportunity for mischief, or worse. Accessing the code may give the code providers access to your data, including your contacts. If you use the code to make a purchase, the site may instruct you to open your banking app and enter your name and password, which the site providers will retain and can use to drain your account.
In January 2022, the FBI issued a warning entitled “Cybercriminals Tampering with QR Codes to Steal Victim Funds.” The FBI noted, “…cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use…a cybercriminal can replace the intended code with a tampered QR code and redirect the sender’s payment for cybercriminal use.”
As the FBI also noted, “QR codes are not malicious in nature,” but like all other aspects of technology, a bit of cybersecurity caution and hygiene can reduce the risk of using these codes:
QR codes are here to stay, and their use is increasing; a QR code even appeared in an ad during the Super Bowl in February 2022. Healthy skepticism in the use of QR codes can go a long way toward increasing your digital safety profile. And, given the advances in the knowledge of COVID-19 transmissibility, it may be advisable to opt for the old-fashioned (but safe and reliable) paper menu in restaurants and bars.
If you have any further questions regarding cybersecurity and data protection, please contact Kenneth N. Rashbaum.