QR codes are common for checking-in or ordering food at restaurants. But cyber criminals can also use them to obtain your personal information. Learn how to protect yourself
Quick Response codes
What are Quick Response codes?
QR codes are similar to barcodes. They contain information that can be read by the camera or another app on your smartphone, triggering your smartphone to perform an action such as:
visiting a website
installing an app
joining a Wi-Fi network
adding someone’s details to your contact list
dialling a specified phone number
sending a SMS/text message or an email to a specified recipient.
How are Quick Response codes being used in the COVID-19 environment?
QR codes are used for check-in at businesses to provide a quick way to collect customer contact details required by State and Territory governments for contact tracing, and are a contactless alternative to pen and paper.
Some businesses also display QR codes that direct customers to a website containing information such as the menu to avoid the need to sanitise printed copies between customers.
What are the risks of using Quick Response codes?
Scanning a QR code which directs you to a non-government website requesting your name, phone number and email address, could result in your personal contact information being used for marketing or criminal purposes. Additionally, it is quick and easy for criminals to generate QR codes as part of attempts to obtain your personal information, usually by causing your smartphone to visit a harmful website, install a malicious app or join an untrustworthy Wi-Fi network.
In contrast, there is a relatively lower risk when using an app developed by a State or Territory government to scan a check-in QR code provided:
the app ignores QR codes that could result in your smartphone performing the actions previously listed
your contact details are provided to the State or Territory government, not to the business
details of your check-ins are deleted after a limited time period such as 28 days.
Using Quick Response codes
Guidance for individuals
If the business is in a State or Territory whose government has developed a check-in app, as have ACT [1] and NSW [2] at the time of publication of this document, install and use this app to scan the check-in QR code. If the business hasn’t signed up to their government-provided check-in process, ask the business why not.
If there are no government-provided check-in apps for the State or Territory where the business is located, if the business hasn’t signed up to use government-provided check-in apps or if you want to scan a QR code to view a restaurant’s menu:
Only scan QR codes located in prominent positions in the business, to reduce the likelihood of scanning malicious QR codes placed by someone other than their employees – if you’re in doubt, ask an employee.
While scanning a QR code, look for prompts on your smartphone indicating actions that the QR code will perform.
Be ready to cancel or terminate an unwanted action triggered by scanning the QR code. For example, close your web browser if you are directed to an unknown website, or hang up if an unexpected phone call is initiated.
During check-in, ask the business for their privacy policy detailing how your personal contact information will be collected, stored, used and deleted. Provide only the minimum amount of personal contact information required by the State or Territory government, such as your name and either your email address or phone number. source: https://www.cyber.gov.au/acsc/view-all-content/publications/quick-response-codes-covid-19-environment
