QR codes are appearing everywhere–even in Super Bowl ads–but consumers and business owners should know that there are risks.
The most talked-about ad from the Super Bowl this year was a colorful QR code bouncing around the television screen. If you pointed the camera on your smartphone at it, you were taken to the website for Coinbase, a cryptocurrency exchange. It’s a remarkably simple way to generate some viral marketing. But, you also let QRiosity get the better of you!
The QR code seems to finally be making its way to the mainstream. One of the reasons is Covid-19. QR codes are popping up everywhere as a way to direct customers to information without having to hand them a piece of paper or take a chance that they might mistype a URL.
Yet – There’s a problem.
Not every QR code is what it seems, and they’ve become a tool for bad actors. That’s why the FBI is warning consumers to be aware any time they scan a QR code, and take steps to protect their information. While the FBI’s warning isn’t specifically in response to the Coinbase ad, there’s an important lesson here–not just for consumers, but for business owners, as well.
The beauty of a QR code is that instead of asking someone to remember a website, you simply embed it in the code. When they scan the code, it takes them directly to whatever webpage you want.
A restaurant can put its menu online, put a sticker with a QR code on the table, and diners can simply scan the code and view the menu on their phone. QR codes can also be used to facilitate payments. For example, PayPal and Venmo allow users to scan a QR code to send money to each other. As you might imagine, anytime a new technology makes it easier to get people to visit a website, or send money, someone is going to abuse it. That’s exactly the warning that the FBI sent last month:
Even though the FBI was talking about QR codes generally, Coinbase’s ad was probably the most widely-used QR code ever. Millions of people saw the ad, and a large number of them scanned the code.
The problem is: What happens when a bad actor decides to take advantage of the publicity and send out emails with QR codes telling people they can scan it and take advantage of an “offer”? Because a QR code masks the website you are visiting, it’s easier to scam someone into handing over their personal information.
BLOG: QR codes can be the start of a malicious hack
You are not as likely to type in a website at the domain coinbasead.stealyourbitcoin.ru. On the other hand, if embedded in a QR code–and sent it out in a convincing email–when you scan it, you’ll see “coinbasead” and might not pay much attention to the rest of it. It’s not hard to make a copycat website designed only to steal your personal information, or your Bitcoin.
The FBI also warns that “malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim’s mobile device and steal the victim’s location, as well as personal and financial information.”
Thankfully, there are a few things you can do to protect yourself when scanning QR codes.
First, only scan a QR code from a trusted source. If you visit a restaurant and your server places a table tent with a code on it so you can view the menu, you’re probably fine.
On the other hand, if you walk up to an ATM and there’s a sticker next to the screen that says, “Make your transaction online using this code and we’ll give you $50,” it’s probably a scam. In fact, we never recommend scanning a QR code on a sticker without first asking, to be sure it’s legitimate.
Second, when you scan a QR code, make sure that the website you visit is authentic. Check the URL to make sure it’s what you expected. Don’t ever enter your personal information on a website without verifying that it is official and secure.
Third, if you get an email with a QR code, there’s no reason to ever scan it. QR codes are meant for interactions where you can’t just click on a link. If the person sending you an email doesn’t include the link in the body of the email, that should be a red flag.
Finally, if you’re a business and you are using QR codes, there are a couple of things you should do as well.
If you’re going to use a QR code, make sure that the one your customers scan is the one you created. That means making sure no one has covered the official code with a sticker, for example.
Also, including the URL on your sign can help customers have peace of mind when scanning your code. Include language along the lines of, “This code will take you to our menu at menu.reallynicerestaurant.com. If it doesn’t, please let us know, and don’t enter any personal information.”
In summary, it all comes down to you – take precautions when scanning QR codes. If you are not comfortable with the source, then do not scan it. Don’t let QRiosity get the best of you!
VIDEO: Orange Couch Tip – Don’t Let QRiosity Get the Best of You