QR Codes – what’s the real risk?

How safe is it to scan that QR code in the pub? Or in that email?

QR codes have been around since the 90s, although in the UK they really came to prominence during COVID lockdowns where they were used for everything from ordering food to indicating vaccination status.

They’re widely used today for things like quickly directing users to websites, logging into devices that lack keyboards (such as online video services on smart devices), or ordering or paying for goods and services.

Understandably, people sometimes worry about whether to trust these QR codes. Many are used in public spaces (like pubs and restaurants), and so you might be wondering: are criminals placing malicious QR codes to steal money, information, or trick people in some way?

Reports of QR-enabled fraud in the UK can be found online (including one from BBC News where a woman was scammed at a railway station), but this type of scam is relatively small compared to other types of cyber fraud. The majority of QR code-related fraud tends to happen in open spaces (like stations and car parks), and often involves an element of social engineering. In the above example, criminals posing as bank staff rang the victim to continue the deception.

However, QR codes are increasingly being used in phishing emails (a technique sometimes called ‘quishing’). From the criminal’s perspective, using QR codes in this way makes sense, for a number of reasons.

  1. Most people are now suspicious of dubious-looking links in emails, and are (correctly) cautious of clicking on shortened links. Criminals are therefore using QR codes to disguise the links to malicious websites that phishing emails contain.
  2. Not all security tools designed to detect phishing emails will scan images, so a QR code directing the user to a malicious website might slip through.
  3. Users are more likely to use their personal phone to scan the QR code. Personal devices may not have the same security protections as a computer that’s provided by your employer.

To summarise:

  • The QR codes used in pubs or restaurants are probably safe for you to scan.
  • Scanning QR codes in open spaces (like stations and car parks) might be riskier. As with many cyber attacks, you should be suspicious if you’re asked to provide what feels like too much information, whether that’s on a website or in any follow-up communications (such as a phone call).
  • If you receive an email with a QR code in it, and you’re asked to scan it, you should exercise caution as the NCSC is seeing an increase in these types of ‘quishing’ attacks.

Finally, we recommend that you use the QR-scanner that comes with your phone, rather than using an app downloaded from an app store. For more detailed information, you can refer to the ‘How to use QR codes safely’ guidance from the Canadian Centre for Cyber Security.