Chapter 1: The Emergence of QR Codes

I've observed a notable increase in the use of QR codes across the UK, particularly since the onset of COVID-19. Businesses have begun to incorporate them into menus, storefronts, and takeaway orders.

This trend is evident in restaurants, fast food outlets, coffee shops, and even on charity donation bags. While this innovation can assist customers in navigating services, it inadvertently diminishes our awareness of potential risks and alters our behaviors.

When an action becomes habitual, we often engage in it without much thought. As a result, the notion of a frequent action suddenly posing a risk gets deprioritized. This concern escalates as more establishments adopt QR codes.

So, what are the risks involved?

Consider this:

When scanning QR codes, especially on devices like iPhones, the only option typically presented is to “Open in [Browser].”

This lack of clarity can lead to misplaced trust in the source. In dining settings, for instance, staff may encourage customers to scan codes, which can lower their defenses.

For certain familiar websites, the URL may seem legitimate when hovering over the code:

However, if you mistakenly click on a malicious link, you might find yourself downloading harmful files.

Now, imagine if someone redirected you to a fraudulent site, using a similar domain or even hosting it on a trusted platform. The appearance of legitimacy increases the likelihood of a click.

You might think, “It’s not a big deal; companies wouldn’t use malicious QR codes.” While that may be true, what if someone swapped the codes? What if you encountered QR codes in unexpected places, like an airport? What if the QR code didn't lead to the Wi-Fi login page?

These QR codes can direct users to fraudulent sites designed to capture personal or financial information. Malicious actors analyze user behavior, making certain phishing tactics notably effective. It’s alarming how easily someone could print a matching menu and replace the original codes without staff noticing.

I’ve even come across QR codes placed on walls without any context, which can provoke curiosity and be more enticing than direct attacks: “What is this?”

So, what can be done?

The approach to countering these risks mirrors that of traditional phishing attacks: education and heightened user awareness. While this won't eliminate QR code usage, it can encourage users to pause and consider, “Should I click on this?” This moment of hesitation is what we in cybersecurity hope to cultivate.

A critical message for businesses employing QR codes is clear: STOP MANDATING THEIR USE AND OFFER ALTERNATIVES. I've encountered restaurants that only permit QR code usage, which is a concerning practice. Until users are better informed or tools are developed to mitigate risks, businesses should refrain from coercing patrons into using QR codes.

These “tools” should be standard. While not overly complex, features such as:

• Settings to block redirect URLs
• Displaying the domain for all links
• Warnings for potentially dangerous file formats (e.g., .zip, .apk)
• An option to view the URL in a safer format
• Alerts indicating no protection against malicious clicks

While not every user will utilize these features, having them enabled by default could help protect those who do. Many assume that security is inherently provided, especially with platforms like Apple or Google that support QR code scanning. This assumption can lead to dangerous oversights.

Although the risk may seem minimal for now, spreading awareness is crucial. Pressuring users without context will only lead to alternative vulnerabilities. A simple reminder, such as this post, can help instill that critical “should I click?” moment.

Chapter 2: The Risks Amplified

The Danger in QR Codes - YouTube

This video delves into the potential hazards associated with QR codes, highlighting how seemingly innocuous actions can lead to significant risks.

The Dangers of QR Codes! - YouTube

This video further explores the vulnerabilities of QR codes, providing insights into how users can protect themselves against potential threats.

If you found this information valuable and wish to support my work, consider becoming a member for just $5 a month, offering unlimited access to all content on Medium. Join today!

Need assistance? Check out my services on Fiverr or UpWork.

Thank you for taking the time to read!