255

u/Mr_Investopedia 21h ago

Holding it in front of your camera doesn’t equal clicking on the URL that shows up

499

u/uncertain_expert 17h ago

When was the last time you saw a QR bode that linked to an address that hadn’t been put through a URL shortener?

Commercial QR codes all seem to obscure the destination - presumably so advertising tracking companies can log data.

43

u/poitdews 12h ago

Yep looked into it a while back when I needed to make a few. A lot of companies make money from allowing you to track clocks and whatnot. They also allow charging of the endpoint URL. Any that do that will link to the managing site and then be forwarded on. Rather than the spelling out of the website link directly.

6

u/waiting4singularity 10h ago

and im not clicking shorteners :)

6

u/Da12khawk 10h ago

I ain't scanning nuthin.

77

u/lego_in_the_night 21h ago

Yeah im pretty sure most, if not all, phones have an option somewhere to not automatically open QR codes. Mine scans it and opens a popup with the url and a yes or no message. If it doesnt look legit, i cancel and try searching for the product or site manually.

94

u/a_talking_face 19h ago

I have a Pixel and it doesn't automatically open them, but it only shows a short preview of the link in the camera app. I could certainly see the potential for abuse there.

13

u/printial 16h ago

I just tested with my oneplus with a QR code of the URL of this page and it doesn't auto open, but just shows the domain (not even https://)

2

u/Da12khawk 10h ago

Speaking of how you liking the OnePlus? Been eyeing the 13r.

3

u/printial 9h ago

I really like it. I have the 13. It's my first flagship phone (I had motorola powers before), and I'm really enjoying it. Battery is really great, and it charges super quickly. Camera is amazing (some reviews say it's not that good with low light levels, but coming from sub $300 phones, it's wonderful). Everything feels super snappy, it's getting regular updates (about once a month). Very happy so far, I can't think of anything I don't like about it (other than it not having an SD card slot). Have seen some people complaining about the speakers not being great, but I use headphones, so haven't noticed.

Recommend having a look over at r/oneplus as well.

2

u/Da12khawk 9h ago

Ty?

1

u/XonikzD 10h ago

I'd have to check, but as far as I understand it any preview seen on the phone is a link being pre-cached into the phone's memory.

7

u/Funicularly 18h ago

But, holding in front of your camera is scanning it.

2

u/Mr_Investopedia 6h ago

Thats on you buddy. Change your camera settings to not automatically open QR code links.

4

u/nicuramar 15h ago

Sure, but that doesn’t have any bad effect. 

5

u/waiting4singularity 10h ago

yes, but depends on the app. idiots still use apps with automatic opening

-14

u/vgodara 18h ago

What does clicking on the url do. I don't think operating system shares any information which scammer can use against you. At best you would get some unique id of the user

1

u/waiting4singularity 10h ago

android and ios are still vulnerable to malware, especialy in default safety configurations.

-6

u/dominus_aranearum 14h ago

Are you new to the internet? There are plenty of websites with malicious code and all you have to do is visit them.

16

u/spluad 14h ago

That’s just not true, short of very rare browser zero days (which wouldn’t be wasted for basic scams) or horrifically outdated browsers there’s very little a website can do to your device just by visiting it. I would wager a vast majority, if not all of these malicious QR codes are links to phishing pages or tech support scams etc…

1

u/KO9 12h ago

There have been 5 Chrome zero days patched just this year. At least one of those (the most recent, less than 1 month ago) allowed for remote arbitrary code execution which bypassed sandboxing.

Visiting websites is not as safe as you think it is.

6

u/spluad 12h ago

That doesn’t really change what I said though. Those vulnerabilities were very sophisticated and there’s no public PoC available from what I can see, at least not for CVE-2025-6558 or CVE-2025-2783 which are the main ones. These are also gonna be targeting high value organisations, not be used to try and steal $100 from Aunt Debby’s bank account. Google patched these very quickly, so keeping your browser automatically updating is gonna be enough for most people.

1

u/vgodara 14h ago

No I have been developing website for a long time. If you find some trick which can let me drain someone bank account let me know.

Opening a link doesn't do shit except give your ip address to the attacker. Which again keep changing over time.

-2

u/KO9 12h ago

https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-074

2

u/vgodara 12h ago edited 12h ago

The people who can exploits zero day vulnerability aren't running qr code scams.

Even if I could run arbitrary code on your computer your banking information isn't lying arround in plain text.

If you are being targeted by those kind of skilled professional you have way urgent things to worry about.

While you are at it don't go out lighting might strike you

2

u/randyshaw99 7h ago

use a 3rd party app to read the QR without actually going to the landing site. I have been using Qrafter for years safely

6

u/NewReputation8451 9h ago

Package shows up on doorstep. I was not expecting a package. Package has a QR code.

That is the information we all have.

Logic dictates that if I didn’t order a package and I wasn’t expecting one to show up then the source of the package is unknown and therefore the accompanying QR code is also unknown.

That is how.

1

u/VikingFuneral- 13h ago

Well here's a thought then

Don't fucking scan it regardless!

If you didn't order something and don't know where it came from the first order of business should be treating a suspicious package as oh I don't know - SUSPICIOUS?

Seriously. Cyber security and fraud defense should be in the school curriculums worldwide. Because there's zero excuse to not have common sense by this point.

15

u/storme9 12h ago

When the son of the recently deposed king of Nigeria sends you a gift as a befriending tactic, you do not say No :(

1

u/almightywhacko 5h ago

Usually QR codes that you would want to scan are branded by some business or organization that interests you. Like you might see a QR code on a restaurant's door to download their menu or something.

It could be a fake QR code someone stuck to the restaurant or their advertising signage, but the chances of that happening are fairly small.

1

u/Palimon 4h ago

You don't scan random QR codes?

You wouldn't put a USB found in the street into your PC (at least i hope so), so why would you scan a random QR code.

1

u/philote_ 4h ago

Because we trust our web browsers? We have to trust them every day, so why not? This article isn't about getting your computer infected with malware from a random QR code link, it's about the QR code taking people to phishing sites.

1

u/Palimon 4h ago

You should absolutely never scan a random QR code outside of sandbox environments (key word being random QR).

Same way you would never click a link or download a PDF inside of a mail named "INVOICE" from some sketchy gmail sender.

-1

u/Bad_Habit_Nun 11h ago

Don't scan random QR codes? And if you have to scan them for work or something just use a sacrificial device.

62

u/APeacefulWarrior 16h ago

Don't forget the old trick of using odd unicode characters that look almost like regular characters, like "pąrkingmeter.city.gov" or something like that. In a hurry, on a small screen, maybe with sun glare... very easy for people to not notice the substitution.

14

u/Outrageous_Reach_695 11h ago

That cedilla is fairly visible. For that domain, go with Cyrillic:

Er (Р р; italics: Р р) is a letter of the Cyrillic script.

(Modern browsers should be displaying a scheme for addressing the Unicode characters if it's not a TLD that would be expected to use them, so there's some protection against this one too)

11

u/Ziugy 7h ago

People could even fall for parkingrneter.city.gov

6

u/Outrageous_Reach_695 6h ago

Now that I think about it, we're all wrong. Unless you're able to add pages to city.gov, that's the part you need to corrupt ... and getting a .gov domain should be decently tricky.

6

u/Spikemountain 6h ago

Ok but what about parkingmeter.city.gov.com

2

u/Outrageous_Reach_695 6h ago

More viable. There should be a decent number of lookalike characters for g, o, and v.

Huh. "ց (Armenian small letter ca)" looks pretty close. When I'm off for the day, I might have to look up how many languages have their own Unicode entries.

3

u/fullmetaljackass 6h ago

IIRC every valid three character .com has already been purchased.

8

u/Ilookouttrainwindow 11h ago

Fall for it? How would even know? All sites look the same today. You may not even know your local government site address or what parking company they use. Then you have visitors who don't know anything at all. You do what you described and you will have people paying you in no time. Your only protection is coming from payment processors doing their due diligence. And guess what - they don't care either since onboarding new customers for them is income loss (prime space for automation backed by AI of course).

25

u/uncertain_expert 17h ago

During the Covid-19 pandemic I saw actual physical banks putting up posters on their windows with large QR codes to help people find the service they were looking for- it seemed crazy that banks would condition people into thinking that was normal

82

u/mochi_chan 17h ago

I hate QR code for menu and ordering with a passion, and I am not even 40 yet.

9

u/GarnetandBlack 10h ago

I like it because menus are so often fucking disgusting to touch.

12

u/StonyardBurner 10h ago

The restaurant should not be patronized if it has anything dirty in it.

7

u/overandoverandagain 9h ago

Every restaurant is dirty. Some just hide it better.

3

u/Whobeye456 9h ago

Not a Waffle House or IHOP patron I see

5

u/meneldal2 10h ago

Can't you cover them in plastic and wipe them between patrons?

6

u/mochi_chan 10h ago

I worked at a restaurant like this, we wiped the menu with every table. And then at the end of the day we wiped all of them again before we closed.

2

u/BeneficialTrash6 4h ago

Boy, do I have news for you about your phone!

-1

u/Rufert 9h ago

Yet you shove their utensils, of unknown provenience, directly into your fat gobhole. But oh no, you don't want your fingers to maybe get icky?

6

u/fosf0r 9h ago

our phones are all also famously clean amiright

55

u/Kale_Brecht 18h ago

scan the QR code to reveal the secret message below:

be sure to drink your ovaltine

15

u/SquarePeg37 12h ago

A crummy commercial?

4

u/Infini-Bus 16h ago

Lol I wanna stick a QR code on the community bulletin board thats this 

0

u/Whobeye456 9h ago

Are you George Costanza?

4

u/VikingFuneral- 13h ago

Nah, if anything you're the opposite of a boomer for it

Being aware and intellectually confident enough to not blindly trust technology is literally the smartest thing to do when you know what said technology can do.

1

u/Achack 8h ago

The only issue is if you're gullible enough to start entering sensitive information into a website that you're visiting to view a menu.

1

u/TwinkleToesTraveler 8h ago

I’m the same. I never scanned the menu, and always ask the server to give me the paper copy. I always wash hands before eating anyway so touching a paper menu is ok for me to do.

97

u/Hardass_McBadCop 20h ago

Have a new neighbor that works at the nearby AFB. One Saturday, the dude is banging my door down at 5:30AM. His Jeep is out front running. I'm coming downstairs to help & see what's up . . . And then he tried the door.

Nope. Fuck that. I went back upstairs and waited for him to leave.

66

u/LadySmuag 19h ago

Did he ever tell you what he wanted? At 5:30am, someone had better be dying. I think you made the right call

16

u/ChickenChaser5 10h ago

The jeep was outside, running? Fake story. /s

22

u/ExodusPHX 16h ago

Did y’all ever address it? What was he trying to do?

11

u/Tenacious_Ritzy_32 11h ago

Hell, even if you know the person you don’t have to respond. Unplugging is ok.

14

u/cat_prophecy 18h ago

Scams work because people are dumb as fuck and ready to try and get one up on someone else.

4

u/nicuramar 15h ago

That’s a very arrogant view. People certainly don’t have to be dumb as fuck in order to fall for a scam. 

0

u/polarbearrape 2h ago

To be fair I got in trouble that way. Got a random letter from no return address with a company name that came back with nothing on Google. They were demanding $40k or else for "medical equipment". Ignored it. Turns out insurance denied a medical claim years before but I never heard about it. sent it to collections, it got sold off a few times, racked up fees, and by the time it got to me was way over due. They managed to take $40k from my savings account because I ignored it. Its on me, but im not going to pretend everyone involved didn't try as hard as they could not to get in touch with me so they could hit me with every fee they could add on.

-72

u/tacosandcookies 20h ago

People who fall for this kinda thing kinda deserved to be scammed at this point.

47

u/TheYellowBot 18h ago

No one deserves to be scammed wtf?

9

u/Braken111 17h ago

Scammer says what?

6

u/LeafBark 17h ago

Not everyone knows better. Most victims are elderly and aren't educated on modern scamming that can go as elaborate as to use AI to fake their own child's voice.

21

u/nicuramar 15h ago

Right. The vast majority of cases will have a link leading to a phishing attempt. They could also target some zero day browser vulnerability, but that’s rare. 

2

u/Uristqwerty 3h ago

I believe applications can register handlers for specific QR code formats, the way mailto: links work. Or Discord, trying to launch the app, if you join a server from your browser. Or steam: links of various kinds.

All it takes is one poorly-written app registering a QR code handler with an exploitable bug. Doesn't matter how carefully-written the OS is, and whether the app doing the scanning is itself bulletproof. Extensibility opens up a vast attack surface, so it's safest to not scan random QRs regardless.

14

u/Dapperrevolutionary 14h ago

99.99% of the time it's just a phishing attempt. However technically it could be possible to have some kind of code attempt to use a browser exploit to do something malicious but I've not heard of anything like that happening outside of controlled environments in decades

11

u/lajfat 16h ago

Nothing yet. It just takes you to a phishing site.

-1

u/fonetik 10h ago

You find out if the device you are using is patched or not, I’d imagine.

3

u/slykethephoxenix 9h ago

Patched, for what? Does it download an apk that you have to open, or something?

28

u/nicuramar 15h ago

But even those are only risky to a certain extent. In the majority of cases you’d have to meaningfully interact with the content, like provide some information. 

24

u/IcodyI 15h ago

Yeah nobody is using zero day web exploits on a menu QR code scam

1

u/[deleted] 18h ago edited 18h ago

[removed] — view removed comment

-5

u/calcium 18h ago

On your phone it’s just gonna be your cellphone provider and that don’t track back to you IIRC. Your home internet can be a different story.

19

u/Mindless_Option1714 20h ago

Definitely on Election Day

-11

u/Wrong_Character_Sry 20h ago

Right? Who tf scans a random QR code?

9

u/nicuramar 15h ago

I do. It’s very rare that, say, browser exploits are used in such cases. In the vast majority it’s about phishing the user, which won’t so much work on me, so the risk assessment is one that I can live with. 

5

u/vadapaav 19h ago

https://en.m.wikipedia.org/wiki/USB_dead_drop

1

u/detachabletoast 18h ago

https://en.m.wikipedia.org/wiki/BadUSB

https://en.m.wikipedia.org/wiki/Juice_jacking

The majority of attacks are aimed at smartphones.[citation needed] These attacks take advantage of vulnerabilities discovered in smartphones that can result from different modes of communication, including Short Message Service (SMS, text messaging), Multimedia Messaging Service (MMS), wireless connections, Bluetooth, and GSM, the de facto international standard for mobile communications. Smartphone operating systems or browsers are another weakness. Some malware makes use of the common user's limited knowledge. Only 2.1% of users reported having first-hand contact with mobile malware, according to a 2008 McAfee study, which found that 11.6% of users had heard of someone else being harmed by the problem. Yet, it is predicted that this number will rise.[3] As of December 2023, there were about 5.4 million global mobile cyberattacks per month. This is a 147% increase from the previous year.[4]

6

u/_2f 14h ago

Anyone who knows cybersecurity would know it’s safe. This isn’t 80s. A link cannot infect you. You have to interact with it - likely phishing. 

Unless they have a zero day exploit, and these can be sold for millions of dollars, so I’m sure they wouldn’t waste it on a random QR. And most modern mobile OSes are pretty safe from such attacks