In December 2022, a scammer in California worked up fake parking tickets with QR (quick response) codes on them, directing citizens to a phishing site collecting payment card information — just one of many such recent QR code-related scams. Though QR code use surged in popularity during the COVID-19 pandemic because of customer desire for touchless interactions, QR-code risk management is not maturing at the same rate as adoption.

You can try to wish the risk away, but QR codes aren’t going anywhere — they’re just too convenient. Forrester’s 2022 data shows that over half of online adults in France, the UK, and the US reported that they used QR codes for a wide variety of purposes. Consumers in metro India and metro China commonly use the codes to make payments, a use case likely to trend upward globally. So until big tech companies incorporate new error-correction approaches, malicious URL detection, and digital signature verification into the codes and code-reading technology, it’s on you to make sure customers stay safe when engaging with your brand. Otherwise, get ready for negative press and online reviews and potentially stolen data.

Consider Technological And Social Risks, Internally And Externally

QR codes have a range of vulnerabilities. For a physical QR code, sophisticated attackers can alter the code’s distribution of black and white modules so that it directs to their desired URL, and scammers can simply affix a new code over the existing one. In an ironic recent incident, posters in Melbourne with QR codes that people could scan to report vandalism such as graffiti were themselves vandalized — new QR codes were overlaid on the old ones to direct people to a pro-graffiti documentary. While that may seem harmless or even funny, the pranksters could have easily targeted citizens with malware or tracking cookies.

The risks of QR codes don’t start and stop with the code itself. QR code generator services represent another avenue of third-party risk for you to manage. Third-party services with lax security controls could find themselves targeted by attackers that steal your and your customers’ data. A malicious insider at your firm that has access to the QR code service account can create or alter digital or physical QR codes to steal your customers’ data or funds.

Mitigate QR Code Risks Across Their Lifecycle

For these reasons, you must mitigate the risk of QR codes from when they’re created through when a user engages with them to their extended lifespan on social media and elsewhere. At every step of the way, you must mitigate risk in the code’s design, the third-party products and services used to manage the code, and the broader information ecosystem to which the code links, such as promotional URLs at risk of expiring. For example, take advantage of the fact that the codes don’t need to be black and white to incorporate your brand’s colors and logos, making the code harder for a scammer to alter or replace inconspicuously. Create an easy process for employees to report any suspicious QR codes at customer-facing locations to enable a prompt investigation.

QR code security sits at the intersection of data security, privacy, risk, and application security, and several members of the team contributed their expertise to those areas of our research. To learn how you can mitigate the direct and indirect risks that QR codes pose to your organization, read the latest research from our security and risk team, attend our upcoming webinar, or schedule an inquiry with us today.