spreads (21).gif

Quick Response Codes in a COVID-19 Environment

QR codes are common for checking-in or ordering food at restaurants. But cyber criminals can also use them to obtain your personal information. Learn how to protect yourself

Quick Response codes

What are Quick Response codes?

QR codes are similar to barcodes. They contain information that can be read by the camera or another app on your smartphone, triggering your smartphone to perform an action such as:

  • visiting a website

  • installing an app

  • joining a Wi-Fi network

  • adding someone’s details to your contact list

  • dialling a specified phone number

  • sending a SMS/text message or an email to a specified recipient.

How are Quick Response codes being used in the COVID-19 environment?

QR codes are used for check-in at businesses to provide a quick way to collect customer contact details required by State and Territory governments for contact tracing, and are a contactless alternative to pen and paper.

Some businesses also display QR codes that direct customers to a website containing information such as the menu to avoid the need to sanitise printed copies between customers.

What are the risks of using Quick Response codes?

Scanning a QR code which directs you to a non-government website requesting your name, phone number and email address, could result in your personal contact information being used for marketing or criminal purposes. Additionally, it is quick and easy for criminals to generate QR codes as part of attempts to obtain your personal information, usually by causing your smartphone to visit a harmful website, install a malicious app or join an untrustworthy Wi-Fi network.

In contrast, there is a relatively lower risk when using an app developed by a State or Territory government to scan a check-in QR code provided:

  • the app ignores QR codes that could result in your smartphone performing the actions previously listed

  • your contact details are provided to the State or Territory government, not to the business

  • details of your check-ins are deleted after a limited time period such as 28 days.

Using Quick Response codes

Guidance for individuals

If the business is in a State or Territory whose government has developed a check-in app, as have ACT [1] and NSW [2] at the time of publication of this document, install and use this app to scan the check-in QR code. If the business hasn’t signed up to their government-provided check-in process, ask the business why not.

If there are no government-provided check-in apps for the State or Territory where the business is located, if the business hasn’t signed up to use government-provided check-in apps or if you want to scan a QR code to view a restaurant’s menu:

  • Only scan QR codes located in prominent positions in the business, to reduce the likelihood of scanning malicious QR codes placed by someone other than their employees – if you’re in doubt, ask an employee.

  • While scanning a QR code, look for prompts on your smartphone indicating actions that the QR code will perform.

  • Be ready to cancel or terminate an unwanted action triggered by scanning the QR code. For example, close your web browser if you are directed to an unknown website, or hang up if an unexpected phone call is initiated.

  • During check-in, ask the business for their privacy policy detailing how your personal contact information will be collected, stored, used and deleted. Provide only the minimum amount of personal contact information required by the State or Territory government, such as your name and either your email address or phone number. source:

COMMENTS : Due to the risks associated with comments from unidentified contributors that expose The Beagle to possible legal actions under the NSW Defamation Act 2005 No 77 anonymous or Nom de Plume comments will not be available unless the author is known to the editor by way of a verified email address or by association.

Others who provide their REAL NAME (first name AND Surname) and a verifiable email address (it won't be published) are invited to comment below. (yes it is a pain but please comply - it would be a  shame to see your comment deleted)

Those contributors KNOWN to us and verified may continue to use their First Name or Nom de plume for ease. The primary need for all of this is due to traceability should a legal action arise.

If you need anonymity email us via our normal or encrypted email accounts

Please note that if you are looking for a previous comment that is no longer visible please contact us.