QR code use policy

About QR Codes

When used appropriately, QR codes may be useful for marketing events or campaigns. However, there is opportunity for misuse or cyber attacks if QR codes are not used carefully at the Lab. 

QR codes help mask the website to which they redirect users, and users must be aware of the ways bad actors exploit this:

• Social engineering or phishing attacks: Clicking on a malicious link is not much different to scanning a malicious QR code leading to the same link. Bad actors may try to trick unassuming users into visiting a malicious link by scanning a QR code they think is legitimate.
• Email QR code attacks: QR codes can be displayed in an email as part of a larger social engineering attack in an attempt to avoid email security protections. In general, users should be wary of scanning QR codes sent via email, particularly from an unknown source.
• QR code replacement attacks: A common method cybercriminals use to exploit QR codes is to replace legitimate QR codes with malicious ones. This may occur on a physical sign or poster containing a QR code (often in a well-frequented area). When a user scans the replacement QR code, they are directed to the attacker’s malicious website.
• Clickjacking using QR codes: Attackers may direct users to a legitimate-looking website via a QR code that contains actionable content in invisible frames, such as buttons that encourage visitors to click through. In most cases, they usually result in downloading malware or harvesting device and account details. This type of attack may be used in conjunction with other attacks mentioned above, such as making the QR code look legitimate through social engineering or by replacing official Lab QR codes.

QR Code Best Practices

For Lab Users

• Check the QR code for suspicious elements: Does the text or message around the code appear appropriate? Is there LBNL branding around and on the QR code? If on a physical sign, does it seem like the the sign has not been tampered with (e.g. a sticker placed on the QR code)? In general, does the QR code seem like it is legitimate? If you have any doubts, do not scan the QR code.
• Avoid using third-party applications to scan the QR code: Smartphones today come with a native QR code scanner within the camera app itself. Bad actors may try to convince users to use a malicious QR code scanner.
• Verify the URL or URI: When you scan a QR code with your smartphone’s camera, you’ll get a notification pop-up on the screen immediately after the camera’s QR code sensor captures the code. This notification shows at least part of the URL you’ll visit. Check the URL for malicious signs and only click through if the URL seems legitimate.
• Practice caution: Don’t enter login, personal, or financial information from a site navigated to from a QR code. Avoid making payments through a site navigated to from a QR code. If you need to do any of these things, manually enter a known and trusted URL rather than scanning a QR code.
• Do not download an app from a QR code: Attackers may try to convince you to download a malicious app using a QR code. Instead, use your phone’s app store to download the desired application. 

For Lab QR Code Creators

• Use Google to create QR codes: their instructions can be found here. (This generates a QR code with Chrome's branding - a dinosaur - in the middle. You can edit the QR code and cover the dinosaur and it will still work.)
• Must point to an lbl.gov link: If the final page is outside lbl.gov, then use the Lab Short Linking Service to create an lbl.gov link. 
• Incorporate Lab branding: Utilize Lab branding when using QR codes (e.g. on a poster, in an email) to make it clear that the QR code comes from a lab source
• Provide clear language on the poster/infographic next to the QR code telling viewers where the QR code will take them
• Provide the URL near the QR code as an alternative for scanning
• Ensure website traffic is encrypted: Make sure the website the QR code links to is TLS/SSL certified, valid, trusted, and encrypted.
• Use SSO/MFA for sites reached: When appropriate, ensure that the sites to which you are directing users incorporate Single Sign On and Multi-Factor Authentication, which will help combat some social engineering attacks against users.