This article is part of my Cybersecurity Hygiene Series - I recommend reading the background information about the series first to understand how these tips are structured. See this post: Cyber Security Hygiene.
Think before you scan that QR code
QR codes have become mainstream (finally) and so we see them everywhere. Unfortunately, cyber-criminals are also looking to abuse QR codes to take advantage of placing too much trust in them.
Why?
QR codes, by their nature encode information. This may be a link to a web site but it also may be code that joins you to a WiFi network, downloading an app, verifying information, creating a contact, sending an email or message, or dialing a phone number. Blindly scanning a QR code can be dangerous - think before you scan!
What do I do?
Think about the medium of the QR code before even considering scanning it. A QR Code as part of a video presentation is the most likely to originate from the same source as the presentation. A QR code on a poster or sticker (note that there may be a sticker covering a portion of a poster) is far more risky. Never scan a random QR code stuck on the side of some lamp-post or wall (I see these all the time)
Ensure your phone is configured to preview the action of the QR code before executing it (this is usually the default) and if you can't confirm the action is what you want to have happen (eg: check the link it's taking you to is what you expect) then do not proceed.
Bonus Tips:
If you are making a poster, don't include a QR code or leave enough space for someone to put a sticker over top of your poster and trick people. If you are generating a QR code for a video presentation, ensure the generator didn't alter the URL - some QR code generators will change your link to add tracking and advertising. Note: many new web browsers will generate a clean QR code simply by right-clicking on the background of the page and selecting "Generate QR Code" (or similar)