QR codes are a wonderful tool for quickly sharing accessing information, be it a restaurant menu, a tournament schedule, or a PIN code for setting up an account. When setting up Duo MFA here at Crowder, we usually scan a QR code to avoid having to put in a long unique code to link your account to your Duo app.
That said, a study found that approximately 60% of emails containing QR codes are classified as spam or malicious. In other recent headlines, police departments are warning citizens to be cautious of "QR brushing" where an unexpected package contains a malicious QR code.
Please take the following cautious steps as you interact with QR codes:
- Is the QR code expected and something you may need to scan?
- Has the QR code been potentially tampered with? Someone could place could simply have placed a malicious QR code sticker over a legitimate one.
- When scanning the QR code with your phone's camera, check the link before clicking, similar to hovering your mouse over a hyperlink on your computer. Does it direct to some place you would expect? URL shorteners are often used which can obfuscate where the QR code is actually directing you.
- Lastly, once clicked on, do not provide any account usernames or passwords. If the QR code is directing you to a site you have an account with, just visit that site directly through your browser or app rather than using a QR code to access it.
Thank you for being cautious.