QR Codes and Cyber Safety: Easy Action Items for CISOs and the Public

QR codes are everywhere these days. They appear on the tables at restaurants, on signage or tabletop displays at industry conferences, and at the bottoms of ads and important documents. They’re a quick and easy way to deliver the information you need – and they’re also a quick and easy way for cyber criminals to do harm. An October 2023 study conducted with 38 organizations across nine industries and 125 countries found that 22 percent of phishing attacks used QR codes to deliver malicious payloads. More recently, the FBI has identified reports of hackers using QR Codes for scams and security researchers have reported that malicious QR codes can bypass typical browser isolation, underscoring just how potent – and hidden – these attacks can be.

In my 30 years as a cyber professional, I’ve cautioned countless colleagues about the importance of never opening a suspicious email, never visiting a suspect URL, and never implicitly trusting an enticement to “click here” for more. But with QR codes, people are essentially doing exactly that. It’s akin to not wearing a seatbelt in a cab or in an Uber when you wear one religiously in your own car.

For some reason, we don’t always apply the same level of scrutiny to QR codes as we do to other online interactions. Yet, it’s crucial to remember that QR codes can obscure links behind shortened or masked URLs, often created by a third party. If you aren’t sure of the source, you could be redirected through multiple pages collecting information along the way.

To be clear, QR codes are a valuable tool. They’re not going anywhere, and I’m a fan of them – but only when people apply the same good habits around them that they do elsewhere online. As with any link, you must know the source before you scan and ensure that the resulting page or file is vetted and secure. With a few sensible precautions – like verifying the link’s authenticity, using trusted providers, and ensuring your device’s security is up-to-date – these codes can remain a safe and convenient way to access information.

For CISOs & Marketers

Chief information security officers at agencies and systems integrators should implement policies surrounding the use of QR codes and third-party link generators. They should inform staff of the risks QR codes can pose and should create compulsory training around how to safely use and interact with QR codes.

Even without a formal policy in place, marketers or other professionals who use QR codes can refrain from using third-party link-generators altogether or limit the practice to a vetted, security-compliant provider. Providers who cannot offer a satisfactory preview of the link introduce an additional layer of risk. Beyond that red flag, using some of these providers can mean you lose control over cookies or data collected, which can impact compliance with frameworks like the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) here in the U.S.

Where it’s necessary to use a third-party solution, CISOs can work with their colleagues to evaluate and identify providers who meet security and privacy standards. This helps ensure that any data captured is compliant and secure, and that the link itself is not redirecting through unverified channels. By establishing clear guidelines, organizations can still leverage QR codes effectively without compromising security or data privacy.

For QR Code Users

For any of us using QR codes – which is virtually all of us – it’s important to treat them like any other link and take a moment to verify what you’re about to open. Many smartphone cameras or QR scanner apps display a URL preview before you tap on it. Assess whether the URL resembles one you’d expect. For example, if you’re at a restaurant, does the restaurant’s name (or a short-hand for it) plus “menu” appear? Or do you see a random assortment of characters that tells you nothing? If it looks unrecognizable – or if you aren’t entirely sure – consider verifying the source or, if available, request a paper version of the content. By applying these everyday habits, you can enjoy the convenience of QR codes while keeping your information safe.

Technology and Discretion: A Powerful Combination

Of course, as agencies increasingly deploy zero trust architectures and artificial intelligence for insider threat detection, they can still leverage the convenience that QR codes provide while mitigating risk. Advanced AI capabilities can establish user profiles, detect unusual behavior in online activity, and spot malicious links that might come from a scanned code. The same AI can also detect if credentials have been compromised or if an individual is being manipulated as an inadvertent insider threat.

It’s incredibly important to stay aware of all the tools that exist to help share information more securely at both the individual and enterprise levels – because it’s everyone’s responsibility. Heightened discretion around QR codes, combined with new and emerging technologies, is a powerful combination. Together, these tactics significantly bolster an organization’s ability to secure data and resources – all while still reaping the benefits of QR codes’ efficiency and convenience.

QR codes are just like any other link. They can be safe when used responsibly, but they can also pose a significant threat if applied carelessly. A thoughtful, policy-backed approach by CISOs and marketers, coupled with good habits by everyday users, can keep organizations secure – without losing the benefits of this ubiquitous tool.