Josh Cigna, Solutions Architect, Yubico

Knowing how QR codes are a minefield of cyber risks, do remain vigilant at all times when any scanning of a QR code is involved.

    1. Double-check the integrity of the QR code
      It is very easy to place a fraudulent QR code sticker over a legitimate code. QR codes that are sticker-based, unbranded or placed in unusual locations should be treated with caution. QR codes from an unfamiliar source should not be trusted. QR codes delivered by email should always be treated with extreme caution, with the exception of mobile tickets that are read by third-parties (concert tickets, for example).

      When in doubt, ignore the easy way of responding to the QR code prompt and instead verify the QR code is legitimate by contacting the brand directly from their standard website, by calling customer service, or asking an employee in-person.

    2. Be mindful of sharing personal information
      Effectively safeguarding personal and financial information and placing trust in a website can be challenging. Therefore, be wary of QR codes leading to websites that ask for personal information, login information or sensitive financial details. Never disclose banking information or wire transfer funds as the result of a QR code interaction.

    3. Be mindful of payment methods
      While convenient, not all payment methods are protected equally. Avoid QR code-linked transactions using methods of payment that are not well secured and covered by credit card fraud liability policies. Opt for a payment method in your country with strong consumer protection.

    4. Enable strong, phishing-resistant MFA across your accounts
      Wherever possible, enable accounts to use multi-factor authentication (MFA) to make it harder for phishing attacks to succeed. While any form of MFA is better than just using a username and password, not all MFA is created equal.

      Therefore, use passkeys, additional biometric authentication and even hardware-based keys as appropriate.

      For those sites that do not yet support phishing-resistant methods, use a reputable password manager to generate strong, unique credentials per site and make logins easier between devices.