top of page
  • FC

QR Codes: Top tips for using them securely

Blog post by Dave Mound

What is a QR code?

With the introduction of the Covid-19 contact tracing app in England and Wales, we're all probably seeing more QR codes than ever before. Until track and trace, many people perhaps just saw QR codes as those little square blocky graphics that appear alongside advertising hoardings or in magazines. QR - or Quick Response - codes first appeared in the Japanese automotive industry in 1994 but were quickly adopted as a way of taking information from printed materials, such as packaging or posters, and transferring it to your mobile device. Similar to a standard barcode, but far more powerful, the QR code is capable of handling much more data and all you need to scan them is a camera and a QR code reader app. Sometimes the codes are linked to specific apps, as is the case with the Covid-19 contact tracing app.

The normal workflow for scanning a QR code on a mobile device is as follows: you open the QR reader app, scan the code, the code is decoded by the app and then the data is presented to you. This could be a contact card that's already filled in, a visit to a web page via the browser, or even an app download. You may or may not be given the choice of previewing the URL of the website before the reader app opens it. Likewise, you may not be asked if you want to download the app you are being sent to. And that's a problem.

The dangers of QR codes

QR codes are not human readable, there is no way for you to see what information is contained in the code without scanning it (or painstakingly reverse engineering it). This means that attackers can hide malicious links within the code in the hopes that unsuspecting victims will scan it. They can further the likelihood of someone scanning the code by replacing QR codes on legitimate adverts. All it takes is to get a sticker printed and slap it over an existing QR code on the tube or at a bus shelter and job done. In this scenario, you could scan the QR, be sent to the malicious site and the attacker has won.

Let's picture a full scenario:

The attacker copies the website sign up page for company X and hosts it under a similar looking name. They then print out QR codes pointing to their fake site and stick them over company X's actual advertisements. You, as an unsuspecting victim, scan the QR code and are sent to what appears to be a registration form for company X. You fill in a username/email and password and hit submit ...

Now, question time! That password you just used to sign up, do you use it anywhere else? If you do the attacker now has that, they could go and try that on multiple other sites until they find the sites that you also used it on.

What if they didn't just ask for a username and password and instead asked for further personal info? What about credit card info if you thought you were subscribing to a premium service or ordering goods? Can you see the problem?

Anytime you visit a site controlled by attackers you are opening up yourself to malware, data theft, credential harvesting and more. This is why we need to be careful about the sites we connect to.

Top tips to using QR codes securely

Now don't get me wrong, I'm not saying QR codes are all bad. Many restaurant and cafes, for example, are now using QR codes to enable customers to order and pay for goods to minimise interacting with people in response to Covid-19. So, if you do use them then make sure you take steps to personally protect yourself from scams and reduce the risks of becoming a victim to fraud.

✅ Always use a QR code reading app (sometimes called a scanning app) that will display the full URL of the site that the QR code links to. Make sure it's the full URL, too, and not just a small part of it.

✅ Check the URL of the site once the app has sent you there.

✅ Turn off any settings that automatically send you to the sites scanned. If your app doesn't allow this then get another app that does!

✅ Check for signs of tampering on the QR code, does it look like someone has stuck something over it? Does it look like a legitimate advertisement?

✅ Verify that the company and the URL match. So if you are expecting to go to the Cygenta website, for example, check that the URL shows up as

✅ Always expand shortened URLs and use an expander that will show all redirections before the final destination. Some expanders will only show the final step in a chain of redirections which could mean the malicious site is still hidden from you.

✅ Some QR code reading apps are actually security focused and will do a lot of the above security steps for you. Kaspersky's QR reader is one of those, it's available on iOS and Android and will check for malicious sites before visiting them.


Related Posts

See All


Jeffrey Glenn
Jeffrey Glenn
Oct 19, 2023

I appreciate Henry for making me realise the truth to a certified hacker who knows a lot about what he is doing. I strongly recommend you hire him because he’s the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphone cloning,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker.Thank me later. Contact him here., and you can text, call and Whatsapp him on +1(201)4305865, or +1(219)7960574.....


Agnes Lizzy
Agnes Lizzy
Oct 14, 2023

Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…


Janet Lucy
Janet Lucy
Oct 12, 2023

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, and you can text, call him on whatsapp…

bottom of page