Skip to main content

Quick Response Codes in a COVID-19 Environment

Introduction

Quick Response (QR) codes have increased in popularity in the COVID-19 environment, aiding contact tracing and business check-in efforts. This publication provides information for individuals and businesses to help protect against cyber threats when using QR codes.

Quick Response codes

What are Quick Response codes?

QR codes are similar to barcodes. They contain information that can be read by the camera or another app on your smartphone, triggering your smartphone to perform an action such as:

  • visiting a website
  • installing an app
  • joining a Wi-Fi network
  • adding someone’s details to your contact list
  • dialling a specified phone number
  • sending a SMS/text message or an email to a specified recipient.

How are Quick Response codes being used in the COVID-19 environment?

QR codes are used for check-in at businesses to provide a quick way to collect customer contact details required by State and Territory governments for contact tracing, and are a contactless alternative to pen and paper.

Some businesses also display QR codes that direct customers to a website containing information such as the menu to avoid the need to sanitise printed copies between customers.

What are the risks of using Quick Response codes?

Scanning a QR code which directs you to a non-government website requesting your name, phone number and email address, could result in your personal contact information being used for marketing or criminal purposes. Additionally, it is quick and easy for criminals to generate QR codes as part of attempts to obtain your personal information, usually by causing your smartphone to visit a harmful website, install a malicious app or join an untrustworthy Wi-Fi network.

In contrast, there is a relatively lower risk when using an app developed by a State or Territory government to scan a QR code provided:

  • the app ignores QR codes that could result in your smartphone performing the actions previously listed
  • your contact details are provided to the State or Territory government, not to the business
  • details of your check-ins are deleted after a limited time period such as 28 days.

Using Quick Response codes

Use your government-provided check-in app to scan the QR code. If the business hasn’t signed up to their government-provided check-in process, ask the business why not.

If the business hasn’t signed up to use government-provided check-in apps or if you want to scan a QR code to view a restaurant’s menu:

  • only scan QR codes located in prominent positions in the business, to reduce the likelihood of scanning malicious QR codes placed by someone other than their employees – if you’re in doubt, ask an employee
  • while scanning a QR code, look for prompts on your smartphone indicating actions that the QR code will perform
  • be ready to cancel or terminate an unwanted action triggered by scanning the QR code (for example, close your web browser if you are directed to an unknown website, or hang up if an unexpected phone call is initiated)
  • during check-in, ask the business for their privacy policy detailing how your personal contact information will be collected, stored, used and deleted
  • provide only the minimum amount of personal contact information required by the State or Territory government, such as your name and either your email address or phone number.

Further information

The Australian Cyber Security Centre’s step-by-step guides to turning on automatic updates for smartphone operating systems, and turning on multi-factor authentication, can help to mitigate the harm caused by scanning a malicious QR code.

Contact details

If you have any questions regarding this guidance you can write to us or call us on 1300 CYBER1 (1300 292 371).

Was this information helpful?
Was this information helpful?

Thanks for your feedback!

 
Optional

Tell us why this information was helpful and we’ll work on making more pages like it