How To Prevent QR Hijacking

@edent — Thu, 01 Dec 2011 16:25:51 +0000

QR-jacking is the act of covering up a QR code and replacing it with an alternative - often malicious - code.

Your carefully crafted code could be replaced by one which...

It's a real threat - thankfully it's usually easy to spot. Especially in this case...

In the above image, it should be fairly obvious to anyone that the QR code has been replaced.

Combating QR Hijacking

There are some practical actions you can take to make sure that your code isn't hijacked.

Say where your code will go. In your call to action say something like "Scan for our mobile site" that way, it should be obvious that a code which tries to call a premium rate number is fraudulent.
Don't use short URLs. How can a customer tell if bit.ly/CYRWP goes to your site or to a rivals? Always use your domain name in your QR codes.
Place a logo in your QR codes. It's not foolproof, but it means the hijacker has to work harder to look legitimate.
Use a light background colour for your code. It will mean the hijacker has to print on more expensive coloured paper and it is less likely to look like a seamless replacement.
Track down hijackers. If a your code is being redirected, try to track down those responsible.

I am fairly confident that the above inept defacement was by Joachim Schmid.

The above photo was taken at Olympia in London. The same defacement is recorded on the Nine Errors blog, which appears to be run by Schmid.
The photo on the Nine Errors blog was taken on November the 18th, according to the EXIF data.
Schmid was presenting his work at Olympia on November 18th.

The Nine Errors project is a slightly odd attempt by Joachim Schmid to "intervene" and redirect QR codes to error pages.

Want some bespoke QR advice? Give me a call.