top of page

QR codes: are they safe and what are the risks?

Once a convenient tool for accessing websites or menus, QR codes have now become a widespread gateway to digital services. From restaurant tables to parcel delivery notifications, they're everywhere. But with convenience comes risk—and the UK’s National Cyber Security Centre (NCSC) has flagged some important concerns around QR code security.


In this post, we’ll explore the risks of scanning QR codes, how criminals are exploiting them, and what you can do to stay safe.

 

What Are QR Codes and Why Are They a Target?


Quick Response (QR) codes are two-dimensional barcodes that can store URLs, contact details, or payment information. When you scan one with your phone's camera, it often takes you directly to a website or app.

 

This directness is also what makes them attractive to cybercriminals. A malicious QR code can lead to a phishing site, download malware, or trick you into sharing sensitive information.

 

Risks of Scanning QR Codes


According to guidance from the NCSC, here are the key risks:

 

1. Phishing and Fraudulent Websites


QR codes can easily direct users to fake websites that mimic legitimate services (like banks or delivery companies). These sites may trick users into entering personal or financial details.

 

For example: A QR code on a parking meter might link to a spoofed payment site that steals your card information. Spoof QR codes were seen in some Leicester City Council car parks last year.

 

2. Malware Installation


Some QR codes can prompt the download of apps that contain malware - especially on devices where app permissions are too lax or from outside official app stores.

 

3. Credential Theft


When QR codes are used in phishing campaigns, they can be embedded in emails or posters. A scanned QR code might auto-fill login forms or redirect you to a fake login page.

 

4. Social Engineering


Attackers can place fraudulent QR codes over legitimate ones (called "QRishing"). For example, a cybercriminal may stick a malicious QR code over an official NHS or restaurant QR code.



How Safe Are QR Codes Really?


QR codes themselves aren’t inherently dangerous - they’re just a medium. The problem is that you can’t tell where a QR code will take you until after you scan it.

 

That’s why the NCSC advises treating QR codes with caution, especially in public places or if they appear in unexpected messages (like unsolicited emails or text messages).

 

Tips for Staying Safe


Here are some practical ways to protect yourself:

 

Preview the Link


Most smartphones now show the URL before opening it. Always check that the domain name looks legitimate and is spelled correctly.

 

Don’t Scan from Untrusted Sources


Avoid scanning QR codes from unknown posters, flyers, or suspicious emails. If you weren’t expecting it, treat it with suspicion.

 

Use a QR Scanner with Security Features


Some apps can verify whether a link is safe before opening it. Some antivirus apps also scan QR codes for threats.

 

Don’t Enter Sensitive Info After Scanning


Be cautious if a QR code takes you to a login or payment page. If in doubt, manually type in the known website URL instead.

 

Update Your Phone’s Software


Ensure your phone's operating system and apps are up to date to reduce vulnerabilities that malware could exploit.

 

What Should Businesses Do?


If your organisation uses QR codes:

 

  • Avoid linking to sensitive actions (like payments or login) unless absolutely necessary.

  • Use branded URLs so users can verify where they're going.

  • Educate staff and customers on the risks of fake QR codes.

  • Monitor for tampering in physical locations - check if anyone has stuck a new QR code over your signage.

 

Conclusion


QR codes are here to stay, but they’re not risk-free. As the NCSC highlights, cybercriminals are exploiting them more often because they’re easy to manipulate and users tend to trust them.

 

By staying alert, being cautious of unknown QR codes, and encouraging good cyber hygiene, you can continue using this convenient technology - safely.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


 
 
 

Comments

The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page