The most talked-about ad from the Super Bowl this year was a colorful QR code bouncing around the television screen. If you pointed the camera on your smartphone at it, you were taken to the website for Coinbase, a cryptocurrency exchange. It's a remarkably simple way to generate some viral marketing.
The ad generated so much traffic that it crashed Coinbase's app, which, as I wrote previously, is a bad thing when you're trying to convince people they should trust you with their financial assets. More important, however, is that the QR code seems to finally be making its way to the mainstream.
One of the reasons is Covid-19. QR codes are popping up everywhere as a way to direct customers to information without having to hand them a piece of paper or take a chance that they might mistype a URL.
There's a problem, however. Not every QR code is what it seems, and they've become a tool for bad actors. That's why the FBI is warning consumers to be aware any time they scan a QR code, and take steps to protect their information. While the FBI's warning isn't specifically in response to the Coinbase ad, there's an important lesson here--not just for consumers, but for business owners, as well.
The beauty of a QR code is that instead of asking someone to remember a website, you simply embed it in the code. When they scan the code, it takes them directly to whatever webpage you want.
So a restaurant can put its menu online, put a sticker with a QR code on the table, and diners can simply scan the code and view the menu on their phone. As businesses tried to figure out how to safely operate during a pandemic, the idea that you wouldn't have to pass menus back and forth between people was very appealing.
QR codes can also be used to facilitate payments. For example, PayPal and Venmo allow users to scan a QR code to send money to each other. As you might imagine, anytime a new technology makes it easier to get people to visit a website, or send money, someone is going to abuse it. That's exactly the warning that the FBI sent last month:
"Cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use."
Even though the FBI was talking about QR codes generally, Coinbase's ad was probably the most widely-used QR code ever. Millions of people saw the ad, and a large number of them scanned the code.
The problem is: What happens when a bad actor decides to take advantage of the publicity and send out emails with QR codes telling people they can scan it and take advantage of an "offer"? Because a QR code masks the website you are visiting, it's easier to scam someone into handing over their personal information.
If I made a website at the domain coinbasead.stealyourbitcoin.ru, you're probably not going to type that into a website. On the other hand, if I embed it in a QR code--and send it out in a convincing email--when you scan it, you'll see "coinbasead" and might not pay much attention to the rest of it. It's not hard to make a copycat website designed only to steal your personal information, or your Bitcoin.
The FBI also warns that "malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim's mobile device and steal the victim's location, as well as personal and financial information."
This is less of a concern on an iPhone due to the fact that you can't download software to your device from a web browser on iOS. It doesn't mean, however, that a bad actor can't just create an app that runs directly in the browser. On devices where you can download software directly from the internet, like an Android, QR codes could pose an even bigger threat.
Thankfully, there are a few things you can do to protect yourself when scanning QR codes.
First, only scan a QR code from a trusted source. If you visit a restaurant and your server places a table tent with a code on it so you can view the menu, you're probably fine.
On the other hand, if you walk up to an ATM and there's a sticker next to the screen that says, "Make your transaction online using this code and we'll give you $50," it's probably a scam. In fact, I personally wouldn't ever scan a QR code on a sticker without first asking, to be sure it's legitimate.
Second, when you scan a QR code, make sure that the website you visit is authentic. Check the URL to make sure it's what you expected. Don't ever enter your personal information on a website without verifying that it is official and secure.
Also, if you get an email with a QR code, there's no reason to ever scan it. QR codes are meant for interactions where you can't just click on a link. If the person sending you an email doesn't include the link in the body of the email, that should be a red flag.
Finally, if you're a business and you are using QR codes, there are a couple of things you should do as well. If you're going to use a QR code, make sure that the one your customers scan is the one you created. That means making sure no one has covered the official code with a sticker, for example.
Also, including the URL on your sign can help customers have peace of mind when scanning your code. Include language along the lines of, "This code will take you to our menu at menu.reallynicerestaurant.com. If it doesn't, please let us know, and don't enter any personal information."