Quit Reading QR Codes without Thinking

Ben Craton | Apr 4, 2024 min read

A while back I was in Seattle visiting my brother. My wife and I did the normal touristy things around downtown: go up the Needle, look at the museums, gawk at The Mountain, etc. Though while riding the monorail for the second time, back through the dense urban forest, I noticed a poster for some charity or other whose call to action was a giant QR code.

Many of us probably would pass it by without notice. Those few that found the plea for contributions and the cause worthy enough to scan a code no doubt didn’t think twice about it. After all, their phone was out anyway doing tik-toks or planking or whatever kids and bored adults do these days. But consider this. Anyone can throw up a poster in a subway or bus. Anyone can make a QR code linking to any website. And unfortunately, anyone can lie.

What Are QR Codes Really?

QR codes are essentially fancy barcodes like those you’d use at the store to check out. Most product (UPC) codes are simply a number, which is almost always written below it for verification.

UPC Barcode

Because a QR code is two-dimensional, it can hold more information than a number less than a hundred trillion. In fact, they can hold many numbers which can be interpreted by your phone as text, wifi password, or even a game. I’ve used them for inventory documentation for myself.

qr code
QR Code

Should I Quit Relying on Them?

No more than you should trust a normal link you’d click on to open a website. In fact, even less so. When was the last time felt the urge to manually type in a web address into the url? Probably only when you had an existing problem and saw a billboard or flyer that would undeniably address that need: communicated in the very limited space available. QR codes’ selling point in marketing and communication is to lower the barrier to action or information. And without a doubt, for that, they are great!

However, lowering a barrier isn’t an excuse to remove it entirely for convenience. While typing in a URL was tedious, it made us mindful of what we were about to interact with. While a QR code is quick and easy, we still need to pause before clicking through our camera to the address.

How to Keep Quite Reasonably Safe

Qualitatively Read before Scanning

The context always matters. A QR code on the menu at your local diner probably is not malicious. It would be quite a conspiracy to forge a delicious line-up to get you onto a malware site. A billboard is often the same. The visibility and cost is way too high for a common criminal to exploit it without getting turned over by the ad agency.

It is much simpler to attack using plain paper with a generic message in a public space. If you see QR codes on stickers, flyers, or anything the teenager in your life can purchase at Wal-Mart and print onto, perhaps give them a pass. If you see an identical sticker etc again in a completely different setting and your interest is again piqued, then it might be worth pulling out the phone for step two.

Also glance below or around the code. If there is no alternative URL and there’s enough space that there’s no reason it couldn’t have been there, then someone made a choice to omit it. Question why and move on with life.

Your phone should preview the code’s link for you to authorize opening a browser.1 Usually the preview is tiny, showing only the first few characters of the link. Marketers and scammers alike know this and often use link shorteners so that you can see their brand (or not). You can see this with yt.be, fb.me, etc. If the link looks like it is strongly associated with the brand or organization on the material, then you can proceed to step three.

If the QR code is using a generic link shortener such as bit.ly, or something that doesn’t look right, stop. Your curiosity can be satiated by typing in a url manually.

Question Redirects

If you got this far in the 0.75 seconds since you began this process, you’re jumping to a browser and the url bar is updating a few times. That’s the url “un-shortening,” so to speak. Going to yt.be would expand to youtube.com for example. That redirection causes a page refresh. One is normal. Two? Probably some kind of single-sign-on authentication and also fine. Three to five? Ok, maybe the poor developers have to use microservices and that’s the price we pay. More than that? You should probably lock your phone now if you’re around others because there’s a good chance where you’re going isn’t safe for work. 2

After the page loads, double-check the url that you landed on. All mobile-browsers that I’m aware of keep the url bar displayed until you start scrolling down. Take a last glance. Does the url make sense based on that original material you read? Is it a secure connection? Is the page what you expected? If yes to all of these, carry on. If not, close the tab, silently curse the greed of others, and get on with the day.

Quintessential Recap

Ok, I’ll stop with the alliteration. If you take nothing else from this piece, take this: don’t let convenience blind you to risk. In those few seconds while passing a tree, the 5g cuts out, and your phone is deciding if it really can do anything without the cloud, think what you could have done as a rebellious child with this tool at your disposal; what pranks you would have pulled; and what Charles Ponzi would attempted.

URLs, information, and food are all the same. We should consider what we put into our bodies and devices respectively.

- Abraham Lincolnprobably

  1. If it does not, and it automatically opens for you for any QR code you point it at, check with your phone’s manufacturer’s support website on how to disable that behavior. ↩︎

  2. And that’s not just glib advice. Locking your phone will stop the browser from continuing down a rabbit-hole of sin and viruses until you unlock it again. I would suggest locking your phone and then immediately powering it off and restarting it. That will kill the browser. ↩︎