March 1, 2024

And you don’t need anything special to create a QR code. The tools are widely available and straightforward to use, and putting together a QR code of your own isn’t much more difficult than scanning one. If you wanted to create a QR code that points to a website that’s been put together for malicious purposes, it would only take a couple of minutes. The QR code could then be stuck on a wall, attached to an email, or printed on a document, ready to be scanned.

The aims of these websites are the same as they’ve always been: to get you to download something that will compromise the security of your accounts or your devices, or to get you to enter some login credentials that will then be relayed straight to the hackers (most probably using a spoof site set up to look like something genuine and trustworthy). The intended end results are the same as ever, but the method of getting there is different.

Avoiding QR Code Hacks

The security precautions you should already be using are the same ones that will keep you protected against QR code hacking. Just as you would with emails or instant messages, don’t trust QR codes if you’re not sure where they’ve come from—perhaps attached to suspicious-looking emails or on websites that you can’t verify. The QR code on the menu in your local restaurant, in contrast, is highly unlikely to have been generated by hackers.

Of course, there’s always the chance that the accounts of your friends, family, and colleagues have been compromised, so you can never be 100 percent sure that a message with a QR code in it is genuine. Scams will usually try to imply a sense of urgency and alarm: Scan this QR code to verify your identity or prevent the deletion of your account or take advantage of a time-limited offer.

You should get a preview of the link you’re visiting from a QR code.

Apple via David Nield

As always, your digital accounts should be as heavily protected as possible, so that if you do fall victim to a QR code trick, safety nets are in place. Switch on two-factor authentication for every account that offers it, make sure your personal details are up to date (such as backup email addresses and phone numbers that can be used to recover your accounts), and log out of devices you’re no longer using (you should also delete old accounts you no longer have any need for).

Finally, keep your software up to date—something that’s happily now very easy to do. The latest versions of popular mobile web browsers come with built-in tech for spotting fraudulent links: These integrated protections aren’t infallible, but the more up-to-date your browser and mobile OS are, the better your chances of getting a warning on screen if you’re about to visit an unsafe location on the web.