The Federal Trade Commission (FTC) warned the public against scanning old QR codes in a consumer warning blog last week. Naturally, the warning comes down to security and privacy: bad actors can place QR codes in inconspicuous places or send them via text message or email, and then sit back and wait for a payday in the form of money, logins, or other sensitive information .
The New York Times reported that John Fokker, head of threat intelligence at cybersecurity firm Trellix, said Trellix found more than “60,000 examples of QR code attacks” in the third quarter of this year alone. The Time wrote that the most popular scams included payroll and HR impersonators and mail-in scams. Early last year, police in several Texas cities said they had found fraudulent QR codes on parking meters, directing people to a fake payment site.
To avoid falling victim to bad code, the FTC suggests ignoring unexpected emails or other messages that you didn’t expect and that come with an urgent request. It’s also good to check the URL that appears on your screen during the scan to make sure it’s a site you trust. On the other hand, even a legitimate QR code can show you an unreadable and meaningless shortened web address, so if you know which site you want to visit, it’s best to go there directly.
The Commission also recommends the old standard of updating your devices and ensuring you have good, strong passwords and multi-factor authentication for sensitive accounts. If you’re not sure how to do that second part, check out our guide to two-factor authentication, which includes instructions for some of the most popular sites and services.
In addition to the FTC’s recommendation, there are other things you can do. For example, don’t download a QR code scanning app; built-in camera apps for Android and iOS already do that, and apps can sometimes be created for nefarious purposes themselves. The FBI also has a list of recommendations in a similar blog it published in September, but if you’re unsure of a code, generally don’t scan it.