Blog, news and latest updates from IT Foundations

Why you shouldn't scan QR codes

Written by itfoundations | Oct 6, 2023 2:53:00 PM

QR codes have always been dangerous; they invite you to scan them and blindly follow them to an unknown destination on the internet.


A new QR based menace has started to flood inboxes. They’re used by criminals to direct unsuspecting victims to pages containing malware or invite them to share their valuable data.

There has been a surge in unexpected QR codes landing in mailboxes, probably in no small part due to Microsoft now very strongly pushing the use of their Authenticator App which asks you to scan a QR code on screen as part of setup. This adds an air of legitimacy to the QR so when one appears in an inbox purporting to be from Microsoft it might not seem too odd.

Spam mail filters aren't used to seeing these so they don't get filtered out yet.

Below is a sample of the messages that have landed in mailboxes just today for some of our customers (and us!)

How to stay safe

The very simple message is this:

If you receive a QR code in an email, delete it.

Companies should never email you a QR code and ask you to scan it.

The only time you should scan a QR code is if you are following a process from a legitimate vendor and you are expecting to have to scan one.

A perfect example is setting up an Authenticator App. During the process, you are asked to scan a QR code that displays to you on your computer screen at the time. Conducting an internet search for the process will provide you comfort that this is expected behaviour and it is safe to scan that QR code.

The codes in the emails above all look very genuine with Microsoft branding and referring to setting up Authentication but you can be sure that these are not genuine because they’ve arrived in your inbox and you weren’t expecting them.

You can think of a QR code just like a link. You wouldn’t click a link that you weren’t expecting. Don’t scan a code that you’re not expecting either.

This advice applies in the wild too. You will often see QR codes stuck up in public places. You never know who placed it there, or where it goes so we strongly recommend that you don’t scan it, just in case.

Next steps...

If you would like any more advice or help with keeping your business safe and secure then get in touch today.