The Coinbase Super Bowl ad sparked several conversations in my family. My son in college used the QR code to sign up to buy cryptocurrency, something he had been interested in for a while. My mother-in-law mistakenly scanned the code wondering what she could get for free. My husband scanned the code to get more information. Only my college-age daughter wondered if it was safe to click. Yes, our family contributed to the more than 20 billion people scanning the code, according to PC magazine.

But I was more than a bit shocked at normalizing behavior that scammers used. I spend my waking hours warning people not to click links that they don’t know where they go. And when I logged on the next morning, I realized that I was not alone. Other cybersecurity experts were wondering the same thing. PC Magazine proclaimed the ad a “security nightmare.” It worked, though. The ad and promotion were even more popular than Coinbase expected, and the response crashed the Coinbase app temporarily.

Just like security experts constantly warn us not to click on unknown links, the same principle applies to QR codes. They are essentially a link embedded in an image. If you click a QR code from an unknown source, it’s exactly the same as clicking an unknown link. By showing a QR code during the most watched sporting event of the year — and making it flash colors and dance — was Coinbase normalizing risky behavior and setting up people to be victims of phishing?

What’s the latest in QR code security? What can businesses do to protect themselves and their customers when using QR codes?

Latest developments for QR code security

While QR codes are not new, their adoption has recently increased. Many people used QR codes for the first time during the pandemic to view a restaurant menu. And QR codes are often part of cryptocurrency transactions. Those are also on the rise, creating another opportunity for people to use the codes in transactions. The QR codes themselves aren’t malicious. But the cybersecurity risk begins at the link that loads when you scan it.

No one is accusing or expecting legitimate companies to create QR codes with malicious links. Instead, the biggest issue is what happens after the promotion airs. People share the link on social media. People reshare popular ads for weeks. The person clicking on the link assumes that it’s the original, legitimate link. However, it’s possible for threat actors to change the links in a social media post to malicious links.

Like with phishing emails, attackers can create QR codes and put them in places that appear legitimate. Many people who fall for a phishing scam are fooled into thinking that it’s a legitimate business.

Changing common wisdom

However, the adoption of QR codes is dramatically outpacing the message of ‘don’t scan unknown QR codes’. Think of how often you hear not to click on unknown links. It’s a lot. But people still fall prey to phishing scams. So, the risk of QR codes becoming a vehicle for attacks is very important right now. The cybersecurity industry needs to increase education. However, the question becomes what responsibility legitimate businesses have in encouraging the safe use of QR codes by consumers.

The most important message for consumers (and what I told my mother-in-law when we talked about QR codes after she got a Coinbase account she didn’t need) is that they should question every QR code before scanning to make sure it’s original. For example, a QR code in a printed magazine is likely safe. However, you should be wary of a QR code hanging on a community bulletin board. Additionally, consumers should not click on codes that are in emails or social media, since these are easily manipulated. QR codes that are stickers are more likely to be compromised than those actually on the menu.

QR codes and privacy

Whenever QR codes come up, the privacy discussion soon follows. As a business owner considering using them, you may be wondering if QR codes can track location. No, they can’t. But, you do need to use QR codes in a way that doesn’t compromise a customer’s privacy.

What a QR code does is connect a customer’s in-person activities for brands with your online activity. Once a customer scans a QR code, you as the business owner know that they are the same person who came to the store yesterday and visited the website today to make a purchase. By creating a single customer profile across channels, you can improve recommendations and create personalized experiences. However, as a business owner you need to make sure that your customers using QR codes understand what information they are giving out. We will get to the specifics on how to do that in a minute.

Ways businesses can use QR codes

The popularity of QR codes is growing both with businesses and consumers. At the same time, the different ways you can use them to help your business grows, too. When a customer scans a QR code, you can connect their online profile to their physical actions. By creating opportunities where customers feel it’s beneficial to scan, you can collect first-party data. That helps you improve your marketing and customer experience.

Here are some ways to use QR codes to help your customers and your business:

  • Short links: You can use the QR codes to make it easier for shoppers to access online information. For example, say you want customers to go online to fill out a store credit card application. You can display a QR code instead of a link. This makes it easier for the customer and more likely that they will actually follow through.
  • Menus: Restaurants will likely use QR codes for diners to access menus long after the pandemic is a memory. This saves on the cost of reprinting menus every time items change. The restaurant uses the online version as the single source of truth and simply updates the menu on their website. Restaurants can also dynamically display nightly specials on the online menu, saving the cost of printer flyers.
  • Business cards: Instead of cramming a lot of information on a business card, you can use a QR code that links to your website or a special page containing your information. Even better, you can embed tracking in the link so you can see how effective the QR code is for leads. QR codes are a great tool to use for in-person sales events, such as trade shows, because you can track the effectiveness for months after the event.
  • Product demonstrations: You can often increase sales of an item if customers can see how it works in real life. But it isn’t possible to have live demos all of the time. Instead, you can create a video showing how it works or the benefits and post a QR code near the item. Now shoppers can get a personal demonstration and you can increase sales.
  • Reviews: The best way to get customers to leave reviews is to ask them and make it as easy as possible. Post a QR code near the checkout or at your tables so customers can scan and leave a review right when the positive experience is top of mind.

Best practices for businesses using QR codes

As a business owner, you want to help promote the safe use of QR codes and QR cyber safety. If consumers have a bad experience using a QR code, then they are less likely to scan in the future, even for legitimate business. You also want to make sure that your QR codes are set up in a way that reduces the odds of a threat actor using your QR code for malicious purposes. Even though you have no direct involvement with a phishing scam from your business’s QR code, unfortunately, your business may be linked in the customer’s mind with the negative event.

Here are ways you can responsibly use and promote the use of QR codes:

  • Recommend using a secure scanning app instead of just a smartphone. By encouraging customers to use a scanning app with security, they have additional protection against malicious links. You can make it easy for customers to be safe by including a link to download a secure scanner where the QR code is posted.
  • Print out the URL as well so people can just type it in to be extra safe. The best way to avoid clicking on a QR code with a malicious link embedded is to type the URL and not scan. You should encourage this practice by always including the actual link for those that want to take the longer and safer route.
  • Limit the use of QR codes in social media and emails. Don’t send out QR codes in email or social media. Doing so invites attackers to target your customers and tarnish your reputation by using your company as a front for phishing.  Not to mention using QR codes on digital channels defeats the main benefit of QR codes: giving customers an easy way to access online material when not in front of a computer and for you to connect physical and digital identities. When someone is already on social media or email, then asking them to scan a QR code is an extra and needless step. Don’t use a QR code when a link will do.
  • Educate customers on QR code safety. Instead of encouraging people to click on QR codes without understanding their purpose, use the opportunity to educate customers. You can include a note about not clicking on QR codes without knowing they are from legitimate companies and give tips on how to know.

Moving forward safely with QR codes

Now that customers are more familiar with QR codes thanks to the pandemic, businesses should look for easy-to-use digital tools to help customers get more information from their smart devices about their products and services. At the same time, you can learn more about your customers through the QR code. By taking the extra step of using QR codes in a cyber-safe manner and educating customers on safe QR usage, you can help increase the adoption of these useful digital tools.

More from Risk Management

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

Spooky action: Phantom domains create hijackable hyperlinks

4 min read - According to a recent paper published at the 2024 Web Conference, so-called "phantom domains" make it possible for malicious actors to hijack hyperlinks and exploit users' trust in familiar websites.The research defines phantom domains as active links to dot-com domains that have never been registered.Here's what enterprises need to know about how phantom domains emerge, the potential risks they represent and what they can do to disrupt phantom attacks. There are two common types of phantom domains: Errors and placeholders.Domain errorsErrors…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today