QR codes have become a common feature in retail, marketing and payment systems, changing the way businesses engage with consumers while offering convenience and efficiency.
As the adoption of QR codes has surged, so too have concerns about their security. Experts in the cybersecurity and retail industries offered insights to PYMNTS about the benefits and potential risks associated with QR codes, and how businesses and consumers can mitigate those risks.
The popularity of QR codes in retail can be attributed to their simplicity and convenience.
“Businesses want to use the power of mobile phones that practically all consumers have with them, but many people find typing long URLs on their phone keyboards cumbersome,” Randy Pargman, senior director of threat detection at Proofpoint, explained to PYMNTS. “QR codes have been around for a while, used for shipping labels, but suffered from the fact that average people did not really know what to do with them, and they had to download an app to scan them. Since phone manufacturers started including QR scanning as a normal feature of the camera application in most phones and accelerated on by the contactless menus and other innovations that resulted from COVID restrictions, QR codes became easy, convenient and known to everyone.”
The pandemic accelerated this trend, with contactless menus and digital interactions driving the adoption of QR codes across industries.
“The rapid adoption of QR codes can largely be attributed to COVID-19, which normalized their use in everyday interactions,” Bellamy Grindl, principal and founder of Retailytics, told PYMNTS. “Brands have since capitalized on this familiarity to bridge the in-store and online experience. QR codes enable brands to attribute sales in an omnichannel environment and, for those operating in multichannel setups, create opportunities to acquire customers directly.”
Making QR codes additive rather than disruptive is crucial, Grindl said.
“When done well, QR codes can streamline the shopping experience, providing immediate access to product specs, reviews or promotions,” she said. “However, some brands miss the mark. For example, requiring shoppers to scan codes for basic product details — like pricing — can feel cumbersome and detract from the in-store experience. Retailers can ensure QR code security by using dynamic QR codes, which are harder to replicate, and by embedding their branding in the code itself for authenticity.”
In addition to facilitating easy access to information, QR codes offer businesses a tool for elevated customer engagement.
“QR codes have risen in popularity because they offer convenience, speed and a level of trust,” IdentityIQ Chief Innovation Officer Michael Scheumack told PYMNTS.
Despite the advantages, QR codes also present security risks. The very factors that make QR codes convenient — such as their ease of use and ability to quickly link to websites — also make them a target for fraudsters. One of the most common threats associated with QR codes is phishing, Pargman said.
“The biggest threat by volume that uses QR codes are email messages or attachments with QR codes leading to password phishing sites,” he said. “This approach is appealing to threat actors because it causes the phishing site to appear on a phone browser, which is typically not monitored by a company’s security team, instead of on the work computer web browser, which usually has security monitoring in place that could block access to the phishing page. Most people have come to trust their phones and are more likely to believe that the page asking them to enter their password is authentic when it appears on their phone. Most of the techniques to spot a fraudulent website that we are all taught in annual cybersecurity training don’t work as well on a phone screen because you can’t easily see the URL of the website, can’t hover the mouse over links, and don’t have the benefit of security tools that might warn you of a suspicious website.”
QR code scams are not limited to the digital realm, Scheumack said.
“There are two types of QR code scams that are on the rise,” he said. “One focuses on parking meter QR codes, and the other is fake QR codes on public flyers. For parking meter QR codes, scammers place fake QR code stickers over legitimate codes on parking meters or payment stations. When you scan the fake code, it redirects you to a fraudulent payment website designed to steal your payment information. For fake QR codes on public flyers, these QR codes are posted in public places and offer things like free Wi-Fi, coupons or other tempting deals. However, scanning them can lead to phishing websites that aim to steal your information or a malware infection.”
Given the prevalence of QR code scams, consumers must be cautious when scanning codes in public spaces. Pargman and Scheumack offered practical advice on how to avoid falling victim to malicious QR codes.
“Be very wary of any email or chat message you receive that asks you to scan a QR code and then leads to a password entry or login form of any kind,” Pargman said. “It is uncommon for a legitimate QR code to lead to anything that asks for your password that it should immediately raise a red flag for you if you see this pattern. Be on the safe side and don’t ever enter your password in whatever pops up after scanning a QR code.”
One useful tool for checking QR code URLs is Google Lens, Pargman said, adding, “instead of just tapping the link that appears in the preview mode of my phone’s camera (which immediately takes me to the website), I take a picture of the QR code and tap the Google Lens button (available on Android phones). That displays the entire URL that was in the QR code and allows me to copy and paste it or visit the website.”
When a QR code takes you to a website for payment, Scheumack said, “look for red flags such as an unsecured URL, low-resolution images, and typos or grammatical errors that a professional website wouldn’t have. If something seems off, don’t proceed to put in your payment information.”
Retailers must take steps to ensure the security of the QR codes they use in-store and online.
“QR codes can be made by anyone and are impossible to authenticate,” Chester Wisniewski, director and global field chief technology officer Sophos, told PYMNTS. “This requires a large degree of trust by consumers that the code they see on the parking meter or cafe table is in fact genuine. We have heard of incidents where payments are involved, where crooks have printed out QR codes to direct people to a phishing site to capture their credit card and personal information and placed them over the top of real QR codes from an establishment.”
Retail locations using QR codes should regularly inspect them when they are in public places to spot any malfeasance, Wisniewski added, “but this is more challenging when you are talking about distributed systems like parking meters. Consumers should be well advised to avoid scanning any QR codes they do not trust or simply choose another payment method with less risk. I usually avoid using ATMs that have dicey-looking keypads or appear to not be in factory original condition. The same could be said for QR stickers. QR codes should never really be used online, as most are just a visual form of a URL. If you want someone to visit a link, use a link.”
Scheumack said businesses should only work with trustworthy retailers when creating and distributing QR codes.
“Only allow QR codes from reputable vendors that they have worked with in the past,” he said. “Every QR code should be visited and evaluated by the business prior to exporting them to their customers.”
Looking ahead, QR codes are likely to remain an integral part of the retail landscape, but security challenges will persist.
“I don’t see the security of QR codes improving,” Wisniewski said. “Hopefully, the implementation to ensure authenticity is refined. QR codes are intentionally designed for machines, not for humans to read them. This presents an authentication challenge that won’t be solved in a simple manner. Ideally, QR codes are embedded into the poster or product packaging in a way that is clearly not just a sticker that got slapped onto something. As usual though, the onus is on the consumer. If something seems off, move on and use another means to access the information you are looking for.”
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More