QR Code Security Guide

About QR Codes

QR codes themselves don’t pose significant risk, but the target they refer to does. Just like any link to a URI, URL, or file is not always safe.

QR codes do help mask what they are redirecting users, and we want users to be aware of the many ways bad actors exploit this:

• Social engineering or phishing: Clicking on a malicious link is not much different to scanning a malicious QR code leading to the same link. Bad actors use social engineering tactics like pairing QR codes with well contrived messages to trick people into scanning. They can also exploit curiosity and place a dangerous code in high-traffic public areas without any text.
• QR code phishing attacks within email: QR codes can also be deployed in email as part of a larger social engineering attack, as they’re more likely to breach standard email protection.
• Replace genuine QR codes in public places with malicious codes: A simple QR code trick cybercriminals use is to replace original codes placed by a company at a specific touchpoint with counterfeit ones. When users scan such a code, they’re directed to a phishing site or prompted for a malware attack.
• Clickjacking using QR codes: Another tactic is to direct users to a legitimate-looking website that contains actionable content in invisible frames, such as buttons that encourage visitors to click through. In most cases, they usually result in downloading malware or harvesting device and account details.

Some general best practices to keep in mind:

For the user

• Check the code for suspicious elements: Does the text or message around the code appear appropriate? Does the logo appear legitimate in the middle of the code? Does the code design match the brand's colors and specifications? And so on… These are small things to keep in mind.
• Avoid using third-party applications to scan the QR code: All smartphones today come with a native QR code scanning capability within the camera app itself. Some bad actors will try to convince users to use a malicious scanner.
• Verify the URL or URI: Whenever you scan a QR code with the camera app on your smartphone, you’ll get a notification pop-up on the screen immediately after the camera's QR code sensor captures the code. The confirmation prompt shows the URL you’ll visit. You should check and verify the URL for malicious signs and only click through if all seems legit and SSL cert is valid.

For the Duke creator

• Custom brand the QR code: Incorporate every aspect of our unique branding kit into the QR code design and use consistent QR code templates. I recommend asking marketing if they have recommended templates. This includes colors, gradient patterns, logo, and custom borders, all in line with the Duke brand.
• TLS config on target webpage: Make sure the website the QR code links to is TLS/SSL certified, valid, trusted and encrypted.
• Invest in a compliant QR code generator or provider: The QR code generator should reputable and vetted as a vendor.
• Use an SSO/MFA for sites referenced: When appropriate, ensure that the sites you are directing users incorporates SSO/MFA for access, which will help combat some social engineering attacks against users.