Data Threat: Don’t Automatically Scan That QR Code – Presented by Mark K. Lund, Financial Advisor in Utah

You’ve just been seated at a restaurant and while you’re waiting for your server, you see a little sticker on the tabletop that says, “Scan me for today’s lunch specials.” It would be great to save a few bucks. So you pull out your phone and point the camera at the little square.

What could go wrong?

According to mobile security experts, plenty.

Even if you’re not familiar with the term QR code, you’ve certainly seen lots of them. They’re the square, maze-like graphic that businesses put at the bottom of ads, in-store signs, and (especially after COVID) on restaurant tables. Businesses invite you to scan the code with your phone (camera apps now read them automatically) to access additional information or special offers.

Short for “quick response code,” QR codes are a type of two-dimensional barcode. Where a traditional barcode, like you’d see on a grocery item, is limited to 43 characters of information, a QR code can store up to 2,500. For comparison, that’s one short sentence versus five pages of text.1

While QR codes can contain any kind of information — they were developed for inventory tracking — businesses use them to direct your phone’s web browser to a URL or to the app store to install an app. Both legitimate uses.

But here’s why they can be potentially dangerous. The automatic nature of the QR code means you can’t tell ahead of time what kind of site it’s sending your phone to. While mobile phones (and especially iPhones) are largely immune from typical computer viruses, they are still subject to danger from other kinds of malicious code. For example, according to online security firm Kaspersky, mobile web browsers have multiple vulnerabilities that can be exploited.2

But according to Len Noe of information security firm CyberArk, malware isn’t necessarily the greatest risk with using QR codes. It’s simply that you don’t know where the link is taking you. It might lead to a legitimate looking website that fools you into entering sensitive information.

Think of the QR code as a web link. You probably wouldn’t click on a link in an email from an unknown sender. In the same way, you don’t know who actually placed that QR code you’re seeing out in public.

Noe says that it’s quite easy for a “threat actor” to place a sticker with a malicious QR code over the top of a legitimate one. His advice for when you see a QR code: Don’t automatically scan it. Look for signs of tampering. And never download apps or make payments from a QR code you see in a public place.

QR codes can be legitimately useful when you’re sure of their source, such as on a statement from your utility company. But when you can’t be sure of the source, be sure to proceed with caution to help protect yourself from identity and financial fraud.

If you ever have any questions about your investments or retirement plans, please feel free to give me a call at 801-545-0696.

Mark Lund
Stonecreek Wealth Advisors, Inc., A Financial Advisor in Utah
11576 S State Street, Bldg. 1002
Draper, UT 84020


This information should not be construed as investment, tax or legal advice and may not be relied on for the purpose of avoiding any Federal tax penalty. All information is believed to be from reliable sources; however we make no representation as to its completeness or accuracy. All economic and performance data is historical and not indicative of future results. Market indices discussed are unmanaged. Investors cannot invest in unmanaged indices. The publisher is not engaged in rendering legal, accounting or other professional services. If assistance is needed, the reader is advised to engage the services of a competent professional. This material was prepared by Efficient Advisors, LLC (“EA’) for Mark Lund, Mark is a Financial Advisor in Utah. He is known as a Wealth Advisor, The 401k Advisor, Investor Coach, Financial Planner, Investment Advisor and author of The Effective Investor. Mark offers investment advisory services through Stonecreek Wealth Advisors, Inc. a fiduciary, independent, fee-only, Registered Investment Advisor firm providing investment management and retirement planning for individuals and 401k consulting for small businesses. Mark’s newsletter is called The Effective Investor Newsletter. Cities served in Utah are: Salt Lake City, Salt Lake County, Utah County, Park City, Murray City, West Jordan City, Sandy City, Draper City, South Jordan City, Provo City, Orem City, Lehi City, Highland City, Alpine City, American Fork City. The views expressed herein are exclusively those of Efficient Advisors, LLC (‘EA’), and are not meant as investment advice and are subject to change. All charts and graphs are presented for informational and analytical purposes only. No chart or graph is intended to be used as a guide to investing. EA portfolios may contain specific securities that have been mentioned herein. EA makes no claim as to the suitability of these securities. Past performance is not a guarantee of future performance. Information contained herein is derived from sources we believe to be reliable, however, we do not represent that this information is complete or accurate and it should not be relied upon as such. All opinions expressed herein are subject to change without notice. This information is prepared for general information only. It does not have regard to the specific investment objectives, financial situation and the particular needs of any specific person who may receive this report. You should seek financial advice regarding the appropriateness of investing in any security or investment strategy discussed or recommended in this report and should understand that statements regarding future prospects may not be realized. You should note that security values may fluctuate and that each security’s price or value may rise or fall. Accordingly, investors may receive back less than originally invested. Investing in any security involves certain systematic risks including, but not limited to, market risk, interest-rate risk, inflation risk, and event risk. These risks are in addition to any unsystematic risks associated with particular investment styles or strategies.