What’s your policy on scanning QR codes?

Since the COVID lockdowns, QR codes have become increasingly commonplace as a quick way to direct people to websites, to log into online video services on smart TVs and TV boxes, or to order or pay for goods and services.


But is your business protected from the risks that may come from criminals using malicious QR codes? Do you have a policy for your staff in place? What issues do you need to consider?


The National Cyber Security Centre (NCSC) have provided some guidance on the subject in a recent blog post.


They advise that QR code related scams are relatively small compared to other types of cyber fraud. The majority of QR code-related fraud usually happens in stations, car parks or other open spaces and often feature an element of social engineering, such as a criminal posing as a bank employee calling to continue the deception.


QR codes are increasingly being used in phishing emails, sometimes called ‘quishing’. This is because people are more suspicious of links in emails and so QR codes may more easily disguise a link to a malicious website. Also, security tools that detect phishing emails may not scan images and so let a QR code through.


Criminals are also aware that a person is likely to use their personal phone to scan a QR code. Personal devices don’t usually have the same security protections as an employer-provided computer.


NCSC make the following recommendations that could be used as the basis for a work policy on use of QR codes:

•  QR codes used in pubs and restaurants are likely to be safe.
• Scanning QR codes in stations, car parks and other open spaces is likely to be riskier. Whenever you are being asked to provide what feels like too much information you should be suspicious.
• Exercise caution about scanning a QR code in an email. These types of quishing attacks are on the increase.
• Use the QR scanner that comes with your phone rather than using an app downloaded from an app store.
  See: