QR Codes – what are the risks?

QR codes seem to everywhere - from the pub or restaurant menu, supermarket special offers, paying for car parking or the route to filling out surveys.

But how safe is it to hover, click and scan?

QR codes have in fact been around since the Nineties, although they really came into their own during the Covid pandemic when they were used for everything from ordering food to checking vaccination status.

Fast forward just a few years and QR codes are widely used for things like quickly directing users to websites, logging into devices that lack keyboards (such as online video services on smart devices), or ordering or paying for goods and services.

Understandably, people sometimes worry about whether to trust these QR codes. Many are used in public spaces (like pubs and restaurants which are deemed to be relatively safe), so you may be wondering: are criminals placing malicious QR codes to steal money, information, or trick people in some way?

The majority of QR code-related fraud tends to happen in open spaces (like stations and car parks), and often involves an element of social engineering.

However, QR codes are increasingly being used in phishing emails (a technique sometimes called ‘quishing’).

Have you spotted a recurring payment to a company you’ve never heard of? You’re not alone, as subscription traps - often linked to dodgy QR codes - are one of the most commonly reported complaints to the Which? scam sharer tool. 

People find they've been charged for subscriptions they didn’t sign up for after trying to download apps on their phones, or scan QR codes in restaurants, pubs, shops, bus stops, stations and car parks. Others notice payments to brands they don'trecognise, but don't know where these companies got their card details from.

Five ways to use QR codes safely – thanks to consumer champions Which?

1. Check for evidence of tampering when you scan QR codes in public spaces, as someone may have placed a sticker over the real one, or it may look out of place. If in any doubt, type in the web address manually to visit the correct website.
2. Don't use an app to scan QR codes as it increases the risk of downloading malware or being redirected to a misleading advert. Most phones have a scanner built into the camera, so use this instead.
3. Preview the web address as you start to scan it - you should be able to inspect the link by clicking on additional settings within the scanner, or you could turn off internet access for your device (put it on airplane mode) and open the link to view the address details first. If it doesn’t begin with ‘https’ or the website's address is different to what you were expecting, then don't visit it.
4. Don't use QR codes to download apps as this increases the risks of installing something malicious. Use a verified app store instead (Play Store at play.google.com or App Store at apps.apple.com).
5. Avoid QR codes in emails as scammers are increasingly using QR codes to disguise malicious links, as email security tools don’t always scan images.