Lately, restaurants have ditched the sticky, laminated menus in favor of using QR Codes. This contactless exchange of information has been especially helpful during the pandemic—but is taking the links provided always safe?

What are QR Codes?

QR Codes are a type of matrix bar code with heavy use in advertising to consumers. They were created in 1994 by the Japanese company DENSO WAVE, a division of the Toyota Group. At the time, Toyota was scanning multiple barcodes per automotive part, which was both time-consuming and prone to error. To rectify that, engineer Masahiro Hara developed the Quick Response Code—QR Code—to keep things at Toyota running efficiently and accurately by allowing a larger amount of data to be stored within each QR Code. DENSO WAVE then made the code freely available, choosing to profit from selling scanners to read the codes instead of licensing fees.

It wasn’t until 2002 that the QR Code started really gaining momentum. With the rise of the mobile phone, the scanner was now available in your pocket, allowing the public easier access to read codes. Today, QR Codes can be made freely and are used in a variety of functions, such as logging into Wi-Fi networks and sharing links.

How can they be dangerous?

Cybercriminals have found a variety of ways to use QR Codes as a way into your phone—and compromise your personally identifiable information (PII). Since you cannot see the link you’re taking before you take it, QR Codes can be used to direct a user to an infected website or trigger a malicious download. This can be done by sending legitimate-looking phishing emails with a QR code inside or posting QR codes in places that make people curious.

Additionally, since phishing websites can use URLs that look similar to trusted websites—and mimic their layouts—they may also be taking your login information for the site they’re emulating. Once you visit the phishing site and log in, your credentials will be compromised, allowing cybercriminals to access your accounts and private information.

Although there has been some buzz around companies using QR codes to collect customer information, this type of information-gathering is regulated. But even though QR codes themselves don’t infringe on your privacy, third-party tracking may. Retailer websites could be sending your information to third-party companies, something that you may miss if you don’t read every website’s privacy policy.

How do I use QR Codes safely?

To use QR Codes safely, we recommend taking the following precautions:

  1. Never scan a QR code from an untrusted source. If you can’t verify with certainty where QR codes are coming from, then do not scan them.
  2. Check to make sure the QR code you’re scanning is not altered in any way. Cybercriminals may place stickers over the original code from a trusted source in an attempt to piggybank off of someone else’s reputation and get to your data.
  3. Turn on private browsing mode to cut down on tracking by third parties. Browsers like Firefox and Safari also have anti-tracking features.
  4. Use QR scanners that display website URLs. Most QR scanners directly display the website after scanning the code. If you can see it before, it may prevent taking a malicious link.
  5. Regularly update your device. By ensuring everything is up to date with software patches and third-party security applications, you can fortify your device’s security and help prevent your information from being stolen.