QR Codes, the latest blessing and curse for web users

Security Awareness
27 November 2023
QR code scam concept - scanning a fraudulent QR code can lead to phishing websites or malware apps.

We can no longer do without them, but be careful when using them!

We have all had the experience of sitting down at a restaurant table and not finding a printed menu on the table, but instead, only a miserable little sheet, perhaps laminated, with a strange, square-shaped code: the new access point to the list of our favourite dishes that can be found by viewing on our mobile phone.

We could say from this that today the world is split in two: between those who respond to the lack of sheets of paper on the restaurant table with a certain sense of emptiness, dismay and nostalgia for the times that have gone by, and those who instead look forward to framing this strange black and white pattern to gain access to all the information desired at that time.

Let’s talk about the Quick Response Code, or QR Code for those who know it well, a tool that has become almost indispensable for many everyday operations.

The code makes the information contained in a site or an application easily accessible without the need to type a web address, but it is also used to access certain services or to verify digital identity. For instance, we all remember the Green Pass, which made it possible to access our health information through the QR code and, as a result, allowed us to carry out our activities during the pandemic.

Undoubtedly, even in the case of this technology, the advantages and time savings are varied.
Just to give an example, just think of transport: paper tickets for trains and aeroplanes are a distant memory and those who still take them out of their bags, instead of showing the train conductor or airport security a code on their phone, may seem like nostalgic aliens who are unwilling to embrace modernity.

But, as with any technological tool, the QR Code also has its shady sides, which should not be underestimated.


QR Code scams, also known as qishing, are spreading fast.
It works more or less like this: by unknowingly scanning some QR codes prepared ad hoc by cyber criminals, you are directed to dangerous web pages. In other cases, however, malware is installed directly on the device compromises its correct functioning or steals the data stored on that device. And all this without the victim even realising what has happened, until it’s too late.

According to Check Point’s Harmony Email Team, the increase in these types of attacks may well be over 500%, a gargantuan number that reveals a very serious problem.

How can you defend yourself?

Even for this type of scam, some tricks should always be taken into account.

  • In general, it is a good idea to avoid scanning QR Codes from unknown sources. It is also important to pay attention to the passwords to be used, changing them regularly and varying between the various accounts available.
  • A reliable and secure application is best for scanning QR codes. The device will prompt you to confirm the operation before scanning the code. On both Apple and Android devices, the camera can recognise QR codes.
    After scanning and before opening, most scanners show which operation is performed or which page you will be directed to. Always check this information.
  • Never enter login details on a website you have opened via a QR code.
  • Before scanning a QR code, look at it and touch it to make sure it is not a sticker pasted over the original.
  • It is also recommended to use optical OCR character recognition that converts images into text.
  • Finally, it is important to know that large companies will never ask us to scan such codes to obtain our personal information. So, keep an eye on the sender.

The strongest defence is knowledge

As always, though, knowledge of the problem is the first step to fending off this new scam.

Cybercriminals are constantly looking for new ways to access our information and our devices but, above all, they are looking for moments of weakness generated mainly by human errors. They feed on distractions, haste, nervousness and poor knowledge of the digital world.

The only way to starve them and prevent them from doing damage, which can be very serious, is to adopt the correct digital posture, which can be built only through a thorough course of knowledge and training, offering content that is always up-to-date on the latest risks and safety, and which includes ongoing exercises adapted to your level of preparation.


Articoli correlati

Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and...

read more