Going Viral: Once unpopular, QR codes have taken off, thanks to the pandemic

  • Print

QR Code Phishing

Photo illustration by Sara Wadford/Shutterstock

It starts out with something innocuous, like “mushrooms or pepperoni?” Next thing you know, your pizza topping preferences are out there for the whole world to see.

The vehicle is a QR (quick response) code. Those are the black-and-white barcodes resembling boxes full of squiggles, squares and dots that have become ubiquitous on all forms of advertising. Invented in 1994 by engineers at the Japanese company Denso Wave, a Toyota parts supplier, as a means of tracking those parts, QR codes became more widespread in the 2010s as companies started using them to provide users with access to a wide range of services, including restaurant ordering, electronic payments and gaming.

However, the technology didn’t quite catch on. Turns out, many people were confused by the codes and didn’t know what to do with them. Inc. Magazine found in 2012 that 97% of consumers did not know what a QR code was. Additionally, most smartphones at the time did not have a native app or scanner that could read the code, forcing users to download a special program, which led to even more confusion and inconvenience. According to a 2013 study by marketing analytics firm Marketing Charts, only 21% of smartphone users had ever scanned a QR code.

But then the pandemic hit, and QR codes became very popular as people looked for a contact-free way to share information. According to eMarketer, in 2019, 52.6 million smartphone users scanned a QR code. This year, it is estimated that 83.4 million will scan a code, and by 2025, QR codes will be scanned by 99.5 million smartphone users, nearly double the 2019 mark. To drive traffic, eMarketer encourages its readers to create QR codes that are innovative, such as games to obtain discounts or provide access to promotions and deals.

Privacy advocates, however, see a darker side to QR codes.

“Really sensitive information about you is being collected and monetized by the QR code-generation company,” says Nicole A. Ozer, technology and civil liberties director of the American Civil Liberties Union of Northern California.

Ozer says QR generators can use the codes to get your phone’s unique device identifier and location information. “Companies share the information they retrieve with other marketing companies, so the big picture creates much more info than just you retrieving a menu,” she says. “Most of the restaurants have no idea that they are being used as a cog in this huge ecosystem.”

While that information may seem innocuous, Ozer cautions that companies can extrapolate all sorts of information from a given data point and make important assumptions about people that could have major repercussions in their lives.

“So now they know I like pepperoni pizza,” Ozer says. “That info could be provided to my health insurance or life insurance companies. Then if these companies get more information about someone—for instance, if they eat takeout every day or if they engage in risky behavior like skydiving—they can use it to determine how much coverage, if any, someone should have.” Ozer suggests consumers pass on QR codes and request a paper menu instead.

Scan safely

Issuers of QR codes also must evaluate the risks to their clients, says Linn F. Freedman, chair of the data privacy and cybersecurity team at Robinson & Cole.

“Any technology that uses code, like phishing—or in this case, QRishing—presents the ability for bad actors to leverage the information. So as the issuer, you want to make sure you have sufficient security measures in place,” Freedman says. “Bad actors can victimize you or your clients. The information could be used to even perpetrate a fraud in your name.”

Pointing out the wide use of QR codes, Freedman referenced the bouncing QR code deployed by Coinbase in a February Super Bowl ad that was scanned by more than 20 million people in one minute. The traffic was so heavy, it caused the app to crash. “I am concerned that the Coinbase ad gave people a false sense of security,” Freedman says. “I’m concerned that people are getting comfortable with QR codes without understanding that they can be malicious, just like links or texts.”

The popularity of QR codes increases the possibility that consumers could unwittingly scan them, thereby giving access to a hacker to do all sorts of malicious things, like installing spyware or tracking consumer behavior or stealing sensitive information.

The situation is now such that governments are issuing QR code warnings. The FBI advises using caution when entering login, personal or financial information from a site navigated to from a QR code. Additionally, do not download an app from a QR code or a QR code scanner app. If you receive an email saying a payment failed from a company with which you recently made a purchase, and the company states you can only complete the payment through a QR code, call the company to verify.

North Carolina Attorney General Josh Stein says QR codes can be helpful, “but like any technology, it can be used against us.” Stein advises that consumers should exercise caution with QR codes.

“If you order through the QR code, check the URL to make sure it’s really the restaurant,” he says.

Give us feedback, share a story tip or update, or report an error.