Scammers have realized that people are pretty lax about scanning QR codes and going to the linked location. Even when it might be something NSFW or even malware. The latter’s now known as quishing (qr code + phishing). Should you stop using QR codes? Nope, here’s how to see where you’ll go before you tap…
The history of the Internet has been both marvelous and depressing; a limitless range of human knowledge, access to billions of people, and all the worst tendences of these same people amplified a thousand-fold. Fifty years ago you might encounter a suspicious classified ad in the paper or a scammer at the local pub, but modern tools make these villains far more productive and effective. Sprinkle in some AI and we’re in an era where you really need to confirm everything before you proceed, whether it’s a phone call, text message, email, or just a sticker on the wall at a concert or sporting event.
One of the most insidious is quishing, a new word to describe when malware is installed through a malicious QR code that you innocently scan. It might be a sticker at the bus stop offering free concert videos from Taylor Swift, a chance to sign up for free tickets to the local amusement park or even just a way to donate a few dollars to someone in need. In all cases, however, you are expected to just trust that the code will take you where you expect.
Quishing is when it doesn’t do that. You wouldn’t click on a link to “infectmycomputer.com” but if it’s masked as an innocent QR code, you might end up there before you even realize what’s happening. The solution: Either stop using all QR codes, which would be unfortunate, or learn how to decode one before you decide to tap on it.
PHOTOGRAPH A QR CODE, DON’T TAP ON IT
To demonstrate how you can do this, I’ve created a QR code that goes to somewhere completely unknown:
Do you trust this page? Are you going to scan it without further information about the destination? I hope not.
As all iPhone users know, if you point the camera at a QR code, it’ll show you a snippet of the destination URL as a tiny pop-up within the Camera app:
Bit.ly URLs are a definite red flag because their purpose is to mask the actual destination, so this might be sufficient information for you to make a don’t-proceed decision.
But where does this link lead? You can tap, in which case you’ll shortly be taken to YouTube, of all places:
Before it even loads, I’ve left the page. Who knows what strange and possibly offensive material might be suddenly streaming on my iPhone?
Instead of tapping on the yellow pop-up, take a photo of the QR code in the Camera app.
SCANNING A PHOTO FOR A QR CODE
Turns out that the Photos app on the iPhone – like the Android version from Google – has a lot of smarts. Bring up a photo with a QR code and you can see all sorts of information about it:
There’s also that pop-up menu, but if you tap and hold on the QR code itself, you’ll get a different menu:
Choose “Copy Link“. That’s the Bit.ly link, but where does it point?
DECODING A BITLY LINK
There’s a help page on the Bit.ly site that lets you safely decode a link: support.bitly.com/hc/en-us/p/link-checker
Here’s what I see when I go there:
Since you have the URL in your copy/paste buffer, you can also use a slick shortcut: Paste it into the browser address bar then append a “+” symbol which will automatically bring you to this decode page. Handy to know!
When I paste in the link here, the resultant information reveals the QR code’s YouTube link:
Yes, it was me trying to rickroll you, but now you know and can sidestep the earworm music video from Rick Astley. Imagine instead if it were malware, though. Wouldn’t you rather identify that it’s not going to the charity site, the Swiftie fan club area, or similar before you encountered the problem?
Finally, I’ll note that if you really want to see the full destination URL, simply keep reducing the font size until the entire URL is displayed:
Remember, you can capture that screen as a screenshot and then zoom in with the Photos app if you want.
Now you know how to decode and expand QR codes and their potential bitly (and similar) links. If you’re ever at all suspicious of a QR code, use this technique to confirm it’s safe. ’cause you never wanna give QR up, right? 🙂
Pro Tip: I’ve been writing about online scams for many years. Please check out my spam, scams and security help area while you’re visiting for more informative articles on how to stay safe online. Thanks!