About QR Codes

QR codes themselves don’t pose significant risk, but the target they refer to may. Just like any link to a URI, URL, or file QR codes are not always safe to scan. QR codes do help mask what they are redirecting users, and we want users to be aware of the many ways bad actors exploit this:

Social engineering

Clicking on a malicious link is like scanning a malicious QR code leading to the same link. Bad actors use social engineering tactics like pairing QR codes with convincing messages to trick people into scanning them. They can also exploit curiosity by placing a dangerous code in busy public areas without any text.

Phishing/quishing

QR codes in emails can be used for phishing/quishing attacks because they are more likely to breach standard email protection. Cybercriminals sometimes replace original or “legitimate” QR codes with fake ones. When users scan the fake code, they are re-directed to a phishing site (fake website) or prompted for a malware attack.

CLICKJACKING

Another tactic is to direct users to a legitimate-looking website that contains actionable content in invisible frames, such as buttons that encourage visitors to click through. In most cases, they usually result in downloading malware or harvesting devices and account details such as financial info, contacts, and location.

BEST PRACTICES

  • Check the code for suspicious elements: Does the text or message around the code appear appropriate? Does the logo appear legitimate in the middle of the code? Does the code design match the brand's colors and specifications? And so on… These are small things to keep in mind.
  • Don’t use third-party applications to scan the QR code: All smartphones today come with a native QR code scanning capability within the camera app itself, which can also be turned off. Some bad actors will try to convince users to use a malicious scanner.
  • Avoid using QR codes in digital spaces (email, websites, etc.).
  • Verify the URL or URI: If you receive an unexpected email encouraging you to scan a QR code with a personal or Duke-issued device, consider it a phish until further verification can be obtained. Whenever you scan a QR code with the camera app on your smartphone, you’ll get a notification pop-up on the screen immediately after the camera's QR code sensor captures the code. The confirmation prompt shows the URL you’ll visit. You should check and verify the URL for malicious signs and only click through if all seems legit and the SSL cert is valid.
  • Disable QR code scanning on your phone.
    • Android: Go into your camera app’s settings (look for a gear icon) and turn off Google Lens, which will be under AI settings.
    • Samsung: go into your camera app’s settings (look for a gear icon) and deselect Scan QR codes.
    • Apple: Go to your general settings (look for a gear icon) and then look for Camera. Select Camera and deselect Scan QR Codes.

In addition, some attackers will shorten URLs to bypass this verification process. In these situations, the best advice is to not click on the URL.

creating qr codes

  • Visit duke.is to create a custom QR code.
    • Custom brand the QR code: Incorporate every aspect of our unique branding kit (colors, gradient patterns, logo, and custom borders) into the QR code design and use consistent QR code templates. For more information on Duke branding, visit https://brand.duke.edu/
    • TLS configuration on target webpage: Make sure the website the QR code links to is TLS/SSL certified, valid, trusted, and encrypted.
    • Use an SSO/MFA for sites referenced: When appropriate, ensure that the sites you are directing users incorporate SSO/MFA for access, which will help combat some social engineering attacks against users.
  • Alternatives

To read additional information about QR codes check out these links below: