You are now in the main content area

QR Codes

With your help, TMU can minimize online threats.

Since the onset of the COVID-19 pandemic, QR codes have made an incredible comeback. Commonly appearing on restaurant menus, posters and advertisements in high traffic areas, they’re now a part of our daily lives as they provide an easy and convenient way to deliver content directly to your mobile device. 

While convenient, scanning a QR code from an unknown source increases the risk of compromising your device or sharing your personal information with hackers.

QR codes are an effective phishing method

Because of their versatility and prominence, hackers are increasingly using QR codes as a phishing tool. QR codes embedded in emails, websites or on printed materials obscure the source of the link you’re scanning, redirecting you to fake websites that aim to steal your personal information or tricking you into downloading malware.

QR codes can track your metadata

By scanning a QR code, you could be directed to a phishing website that hackers can use to track your online activity through cookies. Metadata commonly tracked through fake QR codes include:

The device used to scan the QR code

IP addresses

The geolocation of your device

Other identifying personal information

Protect yourself from QR code risks

Scan QR codes via private browsing

If you do need to scan a QR code, always scan it while your mobile device’s browser is set to incognito mode so your metadata can’t be tracked. Learn how to switch to incognito mode on your mobile device’s browser (external link) .

Prevent automatic scanning of QR codes on your device

It’s also recommended that you turn on settings available through your mobile device’s operating system to prevent your device from automatically performing actions when you scan a QR code.

iOS devices

View instructions for disabling automatic QR code scanning on an iOS device (external link) .

Android devices

  1. Unlock your device and navigate to Settings.
  2. Click System Settings.
  3. Click on Users & Devices.
  4. Click Device Registration.
  5. Unselect Display QR Code and Registration URL.
  6. Once unselected, click Save.

Four tips for avoiding QR code phishing attacks

1. If you can’t verify the source of a QR code, don’t scan it.

2. If the website a QR code directs you to looks suspicious, leave the website immediately.

3. Bypass scanning the QR code altogether by visiting a website by manually typing in the URL in your browser.

4. If you plan to scan a QR code, do so with your browser in incognito mode and change your phone settings to prevent automatic QR code scanning.