QR-jacking is the act of covering up a QR code and replacing it with an alternative – often malicious – code.
Your carefully crafted code could be replaced by one which…
- Points to a rival’s site.
- Calls a premium rate phone number.
- Redirects the user to a site which EXPOSES THE TRUTH BEHIND…
- Goes to a non-legitimate site which asks for credit card / personal details.
- Downloads a virus or other form of malicious content.
In the above image, it should be fairly obvious to anyone that the QR code has been replaced.
Combating QR Hijacking
There are some practical actions you can take to make sure that your code isn’t hijacked.
- Say where your code will go. In your call to action say something like “Scan for our mobile site” that way, it should be obvious that a code which tries to call a premium rate number is fraudulent.
- Don’t use short URLs. How can a customer tell if bit.ly/CYRWP goes to your site or to a rivals? Always use your domain name in your QR codes.
- Place a logo in your QR codes. It’s not foolproof, but it means the hijacker has to work harder to look legitimate.
- Use a light background colour for your code. It will mean the hijacker has to print on more expensive coloured paper and it is less likely to look like a seamless replacement.
- Track down hijackers. If a your code is being redirected, try to track down those responsible.
Finding Joachim Schmid
I am fairly confident that the above inept defacement was by Joachim Schmid.
The above photo was taken at Olympia in London. The same defacement is recorded on the Nine Errors blog, which appears to be run by Schmid.
The photo on the Nine Errors blog was taken on November the 18th, according to the EXIF data.
Schmid was presenting his work at Olympia on November 18th.
Want some bespoke QR advice? Give me a call.