QR codes: Use at your own risk!

Safely use QR codes with these guidelines.

Imagine: You’re out running errands and decide to stop in at your favourite café for a bite to eat. Instead of choosing from a printed menu, you now must scan a QR code on the table to view your options. This is great, you think. Now I don’t have to touch a menu that countless other customers have handled: Convenient, environmentally friendly, and hygienic! 

A couple looking at printed menus in a restaurant
In many establishments, QR codes have replaced printed documents, such as restaurant menus.

True, but...

The risks may outweigh the benefits if we don't take precautions.

What are QR codes?

A QR code is a two-dimensional barcode that can be scanned with a mobile device’s camera and is typically used to automatically redirect users to websites without requiring them to manually enter an address.

Image of QR code on a device
QR code
QR codes are popular for their convenience: You can view webpages (like your restaurant menu in the above scenario), purchase products online, and follow social media accounts simply by scanning it with your camera.

Risks of QR codes

While QR codes aren’t inherently dangerous, they can be used to send unsuspecting users to malicious sites. They are simple to create – but if legitimate businesses can effortlessly produce them, so can criminals!

QR codes are everywhere, as anyone can make one in less than a minute. They're convenient, especially when you're all thumbs. This also makes them very convenient for use by criminals and scammers. Anyone can create a QR code, print it on a sticker, and paste it over a legitimate one. For example, they've been pasted on parking meters: Drivers have scanned them and paid for their parking – giving the cybercriminals both their parking payments AND credit card information. Just like phishing attacks, the goal is to trick you into giving them sensitive information without your realizing it.

By scanning one of the criminals’ QR codes, you’ll be taken to a fraudulent site, and depending on how it’s set up, your device could be compromised just by visiting the site. It could become infected with malware (a.k.a. a virus) that can monitor your online activities, lock access to all your files, and of course, steal your personal information. 

QR code sticker posted in a public location
Criminals can produce QR codes as easily as legitimate businesses!

So how can you protect yourself while enjoying the convenience of QR codes? 

Tips for safely using QR codes

  • Make sure the QR code points to the website you’re expecting to go to. For example, if you're scanning a QR code expecting to go to the McGill IT site, but instead the displayed link is rickrollsphishingemporium.com, it's definitely suspicious!
  • Use a QR scanner that previews the domain before you decide to go there (see example in photograph)
  • Don't use a third-party, QR code scanning app, even if it can be found on the Google or Apple app stores. Instead, use an app that came preloaded on your device, like the built-in QR scanners that are part of almost every smartphone camera. These scanners display the site link before opening it, allowing you to first check it, and close it before it opens if it doesn't match what you're expecting.
  • If you create QR codes for others to use, include the URL (website address) underneath the image, to let users know where it should go.

When in doubt, type it out. 

In general, instead of scanning QR codes, it’s safer to navigate to the intended website or profile using your own search engine. This way, you ensure that you are indeed navigating to the intended webpage and not being misdirected elsewhere.

Two hands holding a hamburger
Typing out a website address is always the safest option.

A few more seconds of typing to find the restaurant’s menu online is a small price to pay for your security and peace of mind - Bon appétit! 

Back to top