QR codes, those touch-free codes that look like square puzzles or mazes, seem to be everywhere these days. Gaining in popularity over the past few years, their proliferation has exploded with the onset of COVID-19 precautions. These wonder-codes make it easy for our mobile devices to quickly scan a menu, pay a bill, and find information about a product or service.

QR codes blend the physical world with the virtual. They are a bridge that can open a virtual world filled with info and opportunities that delight the consumer. Their touchless capability has made them an invaluable aid in restaurants, retail stores, doctor’s offices, airports and more.

QR codes are a great tool for marketers. They can improve customer engagements, simplify the online purchase experience, and enhance product promotions. Dynamic QR codes enable businesses to create marketing campaigns that are time-based. For instance, you may scan the code on a product or flier that activates a special offer that lasts only one day. QR codes enable consumers to customize products to their own liking. They simply scan the product QR code, and select their choices for color, size, pattern, etc.

For users, it’s no muss, no fuss

These handy symbols allow you to quickly open a web browser, install the code, launch an application, and make a payment. Mini apps, like Apple’s App Clips and Google’s Instant Apps, make it even more seamless, by running on the device without being installed at all. You simply scan a QR code with your mobile device, and the mini app starts instantly. A few bits of digital information are exchanged, and voila, you can instantly sign-in and pay with Apple or Google Pay. Easy, right? Yes, if you’re a user. Not so much for security and IT operations teams. While QR codes are great for simplifying consumer interactions, the downside is that cybercriminals use them for nefarious purposes.

Recently, Ivanti conducted a survey of over 4,100 consumers across the U.S., U.K., France, Germany, China and Japan. Our notion about growing QR code usage was confirmed, as 83% of respondents indicated they have scanned a QR code. Even more interesting, 51% have concerns when using QR codes, yet still scan them anyway. One-third of respondents were unaware of the risks associated with QR codes, and didn’t recognize the need to protect their mobile devices.

Due to cautions imposed by COVID-19, businesses have increased their use of QR codes to ease consumer concerns through contactless transactions for mobile payments, online ordering, customer support and more. However, many are discovering the security risks to their corporate digital assets. In fact, according to the Ivanti study, 31% of respondents have had a QR code misdirect their mobile device to a suspicious site or cause other troubling actions.   

Security and IT operations teams need to mediate QR codes

Your employees use mobile devices to scan QR codes in their daily interactions for business and personal activities, putting themselves and your business at risk. QR codes should only be scanned if they are from a trusted source. Hackers can easily substitute legitimate QR codes with malicious ones. Because they aren’t human readable, cybercriminals can exploit them by generating their own QR codes with embedded malicious software. They can also direct users to phishing sites without being detected. Simply put, hackers can use QR codes to illicitly obtain information, hijack accounts and steal identities and data.

Businesses can’t rely upon their users to protect themselves against cyberthreats from QR codes or other nefarious online activities. On-device mobile threat protection, or MTD, protects against phishing and other malicious exploits that use QR codes to bypass typical antivirus software. It is always on and continually updated, even without network connectivity.

As you can see, while QR codes can be a great means for improving the consumer online experience, they can also invite unwanted trouble. If you are a security professional, whose users regularly use mobile devices, this fast-growing threat vector gives new meaning to shadow IT.