How to protect yourself from a malicious QR code
You've probably seen an image of a square made up of many smaller squares in a restaurant or public space, like a maze or mosaic of two contrasting colors, usually black and white. These are QR codes, a technology that allows quick and direct access to certain information.
Using them is simple; you just need to scan the code with a mobile device's camera, and within seconds, they offer the ability to browse various data. These codes have gained popularity, but while they have advantages in terms of accessibility, their widespread use has also come with several risks.
What are they? Essentially, a QR code, or Quick Response code, is a type of barcode that's easy to read on digital devices and stores information in a series of pixels in a grid. Although they may seem simple, QR codes can store a large amount of data, but regardless of their content, scanning them should allow the user to access the information instantly, according to the cybersecurity firm Kaspersky's website.
By scanning a QR code, the user can instantly access information. Photo: iStock
They are generally used to redirect to a URL, to access phone numbers or emails, for menus or digital product portfolios, to download documents , also as a direct link to download an application, to authenticate online accounts and verify login data, to access a Wi-Fi network - since they store encryption and password information -, as well as to send and receive payment information, among other uses.
However, just as it's not safe to click on any link or file on the web, it's also not safe to scan any QR code. Since human eyes can't decipher these codes, it's easy for attackers to alter them so that scanning them will direct you to another resource without the person realizing it's a malicious action.
The dangers 
Attackers have several strategies to trick users when they scan a QR code. Photo: iStock
Scanning malicious QR codes poses multiple risks; for example, technology firm Microsoft points out that since QR codes open links immediately, attackers can replace legitimate codes with counterfeit ones and use this to commit phishing , a tactic in which forged web pages are disguised as those of legitimate entities (such as banks, social networks, or companies) to trick people into obtaining sensitive information, such as passwords or banking details.
Likewise, according to a publication by the Canadian Centre for Cyber Security, by directing users to different websites, criminals can track their online activity , meaning their data can be collected and used for commercial purposes without their consent; or they can collect metadata such as the type of device the code was scanned on, IP address, and location.
Additionally , some websites perform direct downloads even without authorization, so simply opening a web page by scanning a code can initiate the download of malicious software . “Mobile devices, in general, tend to be less secure than computers or laptops, and since QR codes are read through mobile devices, this increases the potential risks,” Kaspersky noted.
Microsoft added that hackers can physically replace a QR code in a public space, but also send emails with fake messages like, "Your credit card information is out of date, scan the QR code to resolve it."
Hackers can physically replace a QR code but also send emails with malicious QR codes. Photo: iStock
There are several actions that can help users protect themselves, according to a post from Duke University's Office of Technology Security. For example, reviewing the code for suspicious elements: Does the surrounding text or message look appropriate? Does the logo in the center of the code look legitimate? Does the code's design match the brand's colors and specifications? And so on, down to the smallest details.
It's also important to check the URL before opening it . Most mobile QR readers provide a preview when you scan the code. You can see this before opening the link to see if the URL matches what you're looking for. Check for malicious signs, such as a strange name in the URL, before clicking.
When you open the web page, check that the address begins with https:// and that the URL has a padlock or is marked as secure by your browser.
Furthermore, cybersecurity companies advise against sharing personal information on these websites unless you fully trust the source.
Another action to avoid is downloading third-party apps to scan QR codes , since modern smartphones include the code-scanning feature within the camera app. Another option for reading them is the Google Lens feature; to use it, you must open the Google app on your mobile device and you will see a camera icon with a dot in the lower right corner at the end of the search bar.
Scanning codes displayed in public places, such as transit stations, is not recommended. Photo: iStock
Additionally, it's not recommended to scan QR codes posted in public places, such as transit stations or street signs , or to scan QR codes received in emails or text messages from dubious sources. If you can't verify the sender (the brand, company, entity, etc.) that generated them, it's best not to read them.
Finally, it's a good idea to set your device to request permission and verification before executing a QR code action, keep your device updated, and consider using an antivirus to protect yourself from this and other digital risks, but make sure it's from trusted companies.
FERNANDA ORTIZ HERNÁNDEZ (*)
El Universal (Mexico) - GDA
(*) With information from EL TIEMPO
eltiempo
