Consumers with mobile phones accepted QR codes during the pandemic to access menus and other information, becoming a more attractive tool for marketers. But with that attraction comes security risks.
QR codes made news this week after Coinbase Global, the largest U.S. cryptocurrency exchange, made its Super Bowl debut with a QR code ad so popular that it forced the company to throttle traffic to its site.
Tony Anscombe, global security evangelist & industry partnership ambassador at ESET, said people need to be careful when scanning QR codes. He said the code on the television screen cannot be manipulated, but the website can be manipulated, especially if it goes down.
The biggest challenge, people cannot see the URL until it’s too late.
About 83.4 million U.S. adult smartphone users will scan a QR code this year, rising to 42.6% by 2025, according to eMarketer. The research firm estimates that after the spike in 2020, the number of smartphone QR code scanners in the U.S. will increase at a compound annual growth rate (CAGR) of 8.7% through 2025.
One of those too late circumstances occurred when Police warned drivers in December when using public parking spots after fraudulent QR codes were discovered on meters in San Antonio, Texas.
“People attempting to pay for parking using those QR codes may have been directed to a fraudulent website and submitted payment to a fraudulent vendor,” the police department tweeted.
Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance (NCA), believes cybercriminals can exploit QR code, but similar to clicking on a blue link in a search-engine query, people need to consider the source.
A cybercriminal cannot redirect the path from a QR code that appears in a TV ad if the URL in the code uses Hypertext Transfer Protocol Secure (HTTPS), used to secure communications running on a computer network, according to David Strauss, co-founder and CTO of Pantheon, which works to secure technology and websites against cybersecurity threats.
There is some risk when using a redirection/analytics service, also known as a URL shortener without HTTPS, but that risk is the same as using the shortened URL in any capacity, QR code or not.
Brian Klais, founder and CEO of app-linking company URLgenius, wrote in an email to Inside Performance, that the recent Super Bowl Coinbase ad is confirmation QR codes can play a big role in engaging mobile consumers from the television.
“In the original ad, scanning the QR shows "coinbase.com" in the camera and requires clicking to proceed to official site, but since consumers don't think twice about scanning QR codes from URL shorteners, there is room for vulnerability from online replica videos, and more,” Klais wrote. “If Coinbase presented context in the ad that it was powered by them, it may have helped reduce that threat, although that may have reduced their response rates as well.”