Search Information Security site


Main menu

In the wrong hands, QR codes are a dangerous threat to your mobile device security.

By now, most computer users know the risks that hackers pose to data and accounts accessed through their laptop or desktop computer. However, as the mobile market has grown, with more people logging into accounts on their mobile devices than ever, hackers have begun targeting smartphones and tablets. CheckPoint estimates a 50% increase in mobile malware attacks in 2019, primarily correlated to a rise in mobile banking usage. In this mobile era, one of the most dangerous threats is hackers’ use of QR codes to install malware. 

QR, or Quick Response codes, are like barcodes that can be scanned by smartphone cameras to direct users to a  website. Using QR codes to disguise malicious intent makes a lot of sense from a hacker’s point of view. For years, cyber criminals have built out scam emails to disguise dangerous links or attachments as harmless information from a friend or co-worker. With QR codes, the disguise is built-in -- every code looks more or less the same, and mobile users are accustomed to scanning them in all kinds of environments. Additionally, once scanned, the QR code quickly transports the user to the malicious website or download before they can do anything to prevent further harm. 

According to Parameter Security, once a user scans a malicious QR code, their phone allows a Trojan download, which is  back-end malware that reports information back to the hackers’ servers. Once this occurs, the hacker can download other malicious software or extract information from the device, leading to potentially catastrophic results for the victim. 

QR hacks are hard to detect since the codes can appear anywhere -- on a screen, business card, coupon, billboard, or piece of mail. The easiest way to prevent a QR hack is to not scan QR codes, but this is inconvenient since most codes are a useful way of accessing information. Here are some other strategies to prevent QR hacking:

  1. Treat the QR code like a suspicious link. QR hacking is just another type of phishing scam, so take the same precautions; if it doesn't look or feel right, don't scan it. 

  2. Be aware of the location where the code is posted. If it’s on a restaurant menu or a reputable, secure website, it’s probably (though not always) safe to scan. However, if you see the code on a poster that could have easily been printed and posted by a hacker, or the code pops up on a sketchy web page, proceed with extreme caution. Do not scan a code sent or placed by someone you do not know personally! 

  3. Use a QR scanner with a preview function. This can serve as a substitute for "hovering" over a suspicious link to inspect it. Countless apps are available that will show you the content behind the code before you click on it. 

  4. Many branded QR codes are customized and carefully designed. Be suspicious of generic black and white QR codes. 

  5. As always, if you suspect you have fallen victim to a QR hack, report the incident immediately.

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form