QR Codes: To Scan or Not to Scan

Scanning a QR code has become second nature, right? They're a quick way to jump to a website or service anywhere you go. On the University of Surrey campus, we use them on posters, in lectures, and at events to connect you to what you need. But not every QR code is what it seems, so it’s important to know what to look for to keep safe!

How to Scan QR Codes Safely

  • Verify the source: It's safest to only scan QR codes from sources you know and trust. Be wary of codes posted in unexpected or questionable places.

    University of Surrey posters, TVs, lecture slides
    Unverified flyers, emails from unknown senders

  • Check the destination link: Always check the destination URL before you tap. If the name is misspelled or the domain extension seems off, do not proceed.

    surrey.ac.uk, surreyunion.org
    surrey-ac.uk, surreyuni0n.org

  • Manage app permissions: Only allow the permissions required for the scanning function to work. Be cautious if it requests other permissions that seem unrelated.

    Camera
    Contacts, Phone, SMS

  • Protect any sensitive information: Avoid entering login details, payment information, or other sensitive data on a site from a QR code unless you're 100% sure it's legitimate. If you've verified the source and URL, then you're good to go.

  • Check for Tampering: Make sure the QR code hasn't been overlaid or tampered with before scanning.

So, what's the real risk? Fake QR codes can be used to send you to imitation websites, silently download malware onto your phone, or steal your personal information. The tricky part is that these fake codes often look identical to real ones, making it easy to miss if you're not paying attention.

Even physical QR codes can be tampered with! Scammers can place a deceptive sticker over a legitimate code on a poster, menu, or even a parking payment banner. That's why it's always essential to take a second and physically inspect the QR code for any signs of an overlay or tampering before you scan.

QR codes have also become a popular tool for phishing scams. Scammers use them to trick you into giving up sensitive information like passwords or bank details. A normal-looking QR code in an email or on a poster can take you to a fake login page that looks almost identical to a real one, making it hard to tell the difference. These scams aren't just digital. Attackers often place QR codes in busy areas, using tempting offers like "free WiFi", "win a prize", or "exclusive discount" to get people to scan. Sometimes, they'll even leave a QR code with no explanation at all, hoping curiosity will get the better of you. One quick scan can lead to you unknowingly handing over personal details or getting caught up in fraudulent activity.

Learn more: https://www.ncsc.gov.uk/blog-post/qr-codes-whats-real-risk

Cyber Awareness Month, Surrey's ACE-CSE, and WiCyS

October is Cyber Awareness Month, and as part of this initiative, the Academic Centre of Excellence in Cyber Security Education (ACE-CSE), alongside colleagues from the School of Computer Science and Electronic Engineering and Cyber security team are raising awareness, promoting good cyber security practice, and promoting career opportunities in the field of cyber security.

The University of Surrey is one of only nine institutions in the UK which have both recognition for being an Academic Centre of Excellence in Cyber Security Education (ACE-CSE) by the National Cyber Security Centre (NCSC) and an Academic Centre of Excellence in Cyber Security Research (ACE-CSR).

As the University of Surrey's Gold-level ACE-CSE, we are a collaborative, university-wide virtual institute that provides tailored cyber security education and training to students, staff, and the public. We extend this tailored approach through a wide outreach, offering specialised programs for diverse academic disciplines, ISO27001-certified training, teaching staff how to build a robust framework for protecting sensitive data, and engaging with industry, government, and the public via events like the NCSC's CyberFirst initiative. Beyond the educational programs, at ACE-CSE, we undertake research projects in pedagogic aspects of cyber security education and matters related to it. This is exemplified by projects that develop specialised training for vulnerable groups like older adults, and that study the psychological and educational impact of gamified cyber security training on students.

We work closely with student-led societies, centred around cyber security, such as the Women in CyberSecurity (WiCyS) society. Women in Cybersecurity is a global movement that empowers women to thrive, lead, and innovate in the cyber security field. With a mission rooted in mentorship, collaboration, and opportunity, WiCyS builds bridges between education and industry worldwide. At the University of Surrey, our Student Chapter carries this vision forward by creating a vibrant community where students can learn, connect, and grow together. We are committed to fostering technical excellence and professional confidence through workshops, networking, and hands-on experiences. Beyond skills, we focus on building resilience, inclusivity, and leadership for the next generation of cyber security professionals. By working with our Students' Union and wider networks, we ensure that every member feels supported to achieve their potential and to shape a stronger, more diverse future in technology.

Contact us!
ACE-CSE: acecse@surrey.ac.uk
WiCyS: ussu.wicys@surrey.ac.uk