You may have noticed that we are firmly in the age of the QR code — every restaurant, state agency, and shop you interact with has a QR code prominently displayed. The technology is one of convenience, taking us to information we want quickly and directly, while hiding the actual destination until we have arrived. That means that what QR codes and URL shorteners offer in terms of convenience costs us in terms of security. So how do you know if a QR code or short URL is safe to use?
Trust no one
First of all, never assume a short URL or a QR code is legit — always assume it isn’t. They are easy to generate, and bad QR code stickers can be easily applied over a legitimate QR code in a restaurant, for example. So even though you think you’re opening the beer list for your favourite brewery, you might be taken to a phishing scam or other harmful site. It’s so easy to fake a QR code in a public place that you should just assume they’re all fake.
Also, anyone can throw a short URL into an email, text, or other communication and you may have no way of knowing if it’s legit or not — so assume those are harmful, as well.
The safest thing to do when a business offers a short URL or QR code as a convenience is to go directly to their site manually. Yes, this defeats the purpose of these tools entirely, but it is the only way to ensure your phone or other device isn’t hijacked.
If the QR code or short URL is supposed to take you to a website you can’t simply navigate to on your browser, ask the business to give you a fresh menu or another document with the code or URL on it. This at least minimizes the possibility that the code you’re about to scan has been compromised.
Get a scanner
Another option is to add some security. You can replace your stock QR code scanner with a more secure version that will check the URL you’re being directed to and give you the opportunity to skip it or proceed. Some phone operating systems have this feature baked into their stock QR code scanner, so you might already have this protection.
For short URLs, you have some options. If the URL was generated by Bitly, you can simply add a plus sign (“+”) to the URL and Bitly will display a preview. Another popular URL shortener, TinyURL, offers a similar preview feature — just place “preview” in front of the shortened URL. You can also paste the short URL into a site like Unshorten.it to see where it wants to take you before you commit.
It’s a fact of life that convenience often affects security, and we live in a world where compromising our phone is sort of like leaving our house unlocked with the door wide open. A few extra seconds of due diligence when it comes to short URLs and QR codes can save you a lot of grief.