Quick response (QR) codes are small white squares with two dimensional black markings, similar in look to a barcode. QR codes became more popular and widely used during the COVID-19 pandemic, offering touchless transactions, such as replacing paper menus with a QR code that displays the online menu when scanned. QR codes have also been used for COVID-19 screenings and contact tracing. QR codes have also been used for proof of vaccination requirements which may expand the landscape for threat actors to exploit QR codes and access your personal information.

Crucially, QR codes can be used by threat actors to prompt you to visit malicious websites and download malware, so think before you scan!

Once scanned, the decoded text of the QR code can trigger actions such as:

  • Opening a website
  • Downloading an app
  • Joining a Wi-Fi network
  • Verifying information
  • Creating a contact
  • Sending an email or message
  • Dialling a phone number

What are the risks?

By scanning a QR code, you could be susceptible to the following risks:

  • Tracking of your online activity by websites using cookies. Your data can be collected and used for marketing purposes without your consent.
  • Collecting metadata associated to you, such as the type of device you used to scan the code, your IP address, location and the information you enter while on the site.
  • Exposing financial data, such as your credit card number, if you used it to purchase goods or services on the website.

The actions the QR code performs can also pose risks, such as allowing threat actors to infect devices with malware, steal personal information, or conduct phishing scams.

How can you stay safe?

To protect yourself and your personal information, always avoid using QR codes in the following way:

  • Enabling your devices to automatically execute the QR code action.
  • Scanning a QR code posted in a public setting (e.g. in a public transit station or advertisements on the street).
  • Scanning a QR code in a business setting if it is printed on a label that could be covering another QR code. Ask a staff member to verify its legitimacy first. The business might simply have updated their original QR code.
  • Scanning QR codes received in emails or text messages unless you know they are legitimate.
  • Using QR scanner apps that are released by unknown companies or institutions.
  • Putting convenience before security. Type in a website URL to view content, such as an online restaurant menu instead of scanning a QR code.

More way to learn about staying cyber safe

Our Security Awareness Course, available through Brightspace, teaches the community how to stay cyber secure. Students, faculty and staff are invited to enrol in a series of modules that are short, digestible and, most importantly, informative. Topics include phishing, ransomware, Wi-Fi security, social engineering, risky USB devices and much more.
Keep in mind that, after clicking the link above, you’ll need to log in with your MyCarletonOne (MC1) password before enrolling.