How to scan a QR-Code safely in 2024?
Have you noticed the omnipresence of QR-Codes, those special square barcodes, in your daily life? Restaurant menus, billboards, health passes, museums, product packaging... In recent years, the use of QR codes has become widespread. However, like any new technology, it can also be exploited for malicious purposes, through phishing scams, commonly known as "QR code scams".
The reason we're talking about QR-Codes and security today is that Anghello offers QR-Codes for visitor registration. So we thought it a good idea to lift the veil on these malicious attempts and the best practices for avoiding them.
QR Codes in a Nutshell
Originally created in the 90s by a Japanese company, QR-Codes are enhanced barcodes. The classic barcode, invented in the 70s, consists of a linear series of bars and spaces of varying thickness. It is fairly limited, and is used to transcribe a product's unique identifier (EAN code made up of numbers).
QR-Codes use a 2-dimensional representation, which gives them more possibilities:
- They can contain more information, such as free text, an email, or a long URL.
- They're also much faster and easier to scan, whatever the angle or camera used. Hence the name "QR Code", which stands for "Quick Response Code ".
And flashcodes? Even if the 2 visually resemble each other, flashcode is a registered trademark of the Association Française du Multimédia Mobile (AF2M), while QRCode is a 2-dimensional barcode standard (as is Datamatrix, another lesser-known standard).
The QR Code Scam Unveiled: What is Quishing?
It's a scam technique used by hackers to trick their victims into scanning malicious QR codes. These QR codes then redirect you to fake websites (phishing sites) or malware to steal your information.
The name "Quishing " is actually a contraction of the 2 terms "QR code " and "phishing ", as fishing (or phishing) uses a similar strategy but is based on false e-mails.
In concrete terms, here's how a quishing attack works:.
-
The attacker generates a QR code that redirects to a phishing site or to malware for download. The code is often disguised to suit the context, encouraging the victim to scan it.
-
The attacker communicates this QR code strategically, depending on the targeted victims:
-
displayed on physical media in public places (subways, traffic lights, etc.),
-
sent over the Internet to targeted victims via email, instant messaging or social media.
-
by discreetly pasting it over an existing "real" QR-code (advertising poster, restaurant menu, reception desk) in order to fool their victim into believing that the QR Code is secure.
-
-
The victim scans the QR code with their smartphone and is redirected to the malicious website, which often poses as a well-known organization (banks, public services, delivery services, etc.) to trick you into providing sensitive information (login, password, credit card number, etc.).
How to Protect Yourself from QR-Code Phishing
Visually, there is no method of certifying that a QR code is secure or malicious : there are dozens of graphic variants of QR Codes (matrix using squares, circles, colors, integrated logo, ...).
But as with phishing attempts, there are some common sense rules and reflexes to adopt to avoid being phished:
- Beware of QR-Codes that appear to be added on top of an existing physical medium.
- Use your phone's native reader application: your smartphone's native readers may offer mechanisms for detecting and blocking malicious urls, whereas many free QR-Code reader applications are likely to be less reliable, and sometimes of dubious origin.
- Always check the QR-Code's destination url before opening it: it's usually displayed when you hover your camera over the QR-Code.
- Ask yourself if you are asked for sensitive information after scanning the QR-Code, such as passwords, bank details...
How Do I Scan a QR-Code from a Smartphone?
Each smartphone brand offers different tools and methods for scanning a QR Code, especially models running the Android operating system and their app overlay.
Methods Applicable to All Android Devices
Most recent Android smartphones have the Google Lens application pre-installed. This application can be accessed directly from the search bar or Google Assistant, in the form of a camera-like icon:
To scan a qr-code with Google Lens on Android:
- Open Google Lens,
- When using Google Lens for the first time, you must authorize it to use your camera.
- Hover over the qr-code (the angle doesn't matter).
- Once the QR-Code has been detected, a notification is displayed with a recommended action. As most QR codes contain a web address, it will suggest opening the web address in your default web browser.
- Press the notification or photo trigger to open the url contained in the QR-Code in your browser.
Brand-Specific Methods for Android Devices
Google Pixel smartphones:
- Open the camera application, and you'll find an icon on the lower left of the screen.
- This is the Google Lens icon, click on it to continue QR-Code scanning with Google Lens.
Samsung Android smartphones:
- Use the camera, the code reader is natively included in the camera software.
- Hover over the Qr-code and proceed as with Google Lens.
- Note that Samsung often integrates a shortcut for QR-Code reading in the Android shortcut panel.
Xiaomi Android smartphones :
- Using the camera, QR Code recognition is normally enabled by default on most of their models.
- Hover over the QR-Code,
- If the notification does not appear automatically, a QR-Code icon should appear in the bottom right-hand corner of the screen.
- Press this icon to see the URL contained in the QR-Code and open it if you wish.
Huawei / Honor Android smartphones :
- Also use the camera app or the brand-specific EMUI QR-Code reader app installed by default.
Asus Android smartphones:
- Use the camera app, QR Code recognition is enabled by default as for Xiaomi.
Realme Android smartphones:
- As with the Google Pixel, you'll find the Google Pixel icon in the bottom left-hand corner of the camera application.
- Click on this icon to continue QR-Code scanning with Google Lens.
Apple Iphone:
- Open the native iOS camera application
- Point the lens at the QR Code, the camera automatically detects the QR code and highlights it.
- Press the notification that appears when the QR-Code is detected.
Conclusion
If you have the slightest doubt about a QR Code, do not scan it and report it to the establishment concerned to prevent any attempted scams.
Prefer to use the readers provided by default or the Google Lens application rather than applications offered on marketplaces.
Anghello offers 2 additional options to secure the use of QR-Codes for its visitor registration application :
- Its own reader application that requires no installation on the visitor's smartphone, and only opens URLs generated by its services.
- Compatibility with dynamic QR-code boxes, displaying single-use QR codes that change at regular intervals. This is a good alternative to printed QR codes for geo-localized pointing needs.