Chief Marketing Officer / Marketing Consultant at maksymzakharko.com
Answered 2 months ago
Yes, when handled with proper compliance, it can be safe. In our SMS work, we adapted our programs to 10DLC and GDPR requirements, which put consent and data protection at the center. That same discipline applies to using QR codes in texts, since the link is simply another call to action. The reason is that clear opt-in and compliant sender practices reduce the chance of misuse and help customers trust the message.
There are valid arguments suggesting that when a text message (QR code) has strong evidence of the trustworthiness of its source, delivering the code via SMS will provide the highest level of protection for the recipient, as the authentication method is tied to the phone number used to send the code (the phone number is generally much more resistant to being hacked than an email address), and people are generally familiar with receiving transactional messages via SMS. The protection afforded by the QR code largely depends on how it is executed. Companies need to ensure that their QR codes resolve to relatively short, easy for users to read and comprehend, web addresses, that do not link the recipient to a redirect page, and that send the recipient to the specific action/response that the user is expecting to take (for example, "confirm my appointment" vs. "log me in"). With this type of transparency, and by allowing the recipient to easily identify both the sender and the destination, QR codes can be an extremely low-friction and low-risk way to conduct business transactions.
I've spent the last 20 years constructing contact flow for customers so I am wary of text-message QR codes. While they are safe from a technology perspective, they are risky from an operational standpoint. Because users do not see the destination (or contents) of the message until their SMS application launches, they are unknowingly developing a habit of using a behaviour that is exploited by scammers. This erodes the trust between businesses and customers. I would recommend using text-message QR codes for business purposes only in controlled environments that have visible signs that clearly define what will happen if the QR code is scanned. Transparency will build trust more than convenience.
The use of a text-message QR code for business purposes also presents a risk, should it be compromised in any way related to 'quishing.' Quishing is an extension of phishing where a malicious QR code points to a fraudulent website - unlike a hyperlink in an email, a QR code in an SMS message rarely lets the user see the destination URL before their browser is opened automatically. An attacker can easily send a spoofed text message with QR code pointing to a bogus login page to collect credentials or to a site that starts a malware download. From a system design perspective, this subverts most filters for lines of utility within the system and leaves all the security work to the end user, demanding that their skill is to be able to instantly recognize a fraudulent text; an impossible task really.
Sure, but only if they tread carefully. Text-message QR codes are safe for business, unless the QR resolves to some raw SMS send, and the user gets dumped into a text thread directed by that SMS. It's the open-ended nature of texting that makes it easy to spoof and phish. The safest behavioral design pattern is QR - secure page - explicit opt-in to text. That gives users context and consent, while insulating the business behind an inviting no-phishing slam-up. When businesses shortcut that step, trust drains away. When they don't, response rates are higher, and complaints are lower.
QR codes are safe but they need a controlled environment, thus only conditionally safe - the QR code itself is not what presents the danger. Users cannot determine where it will go until they tap it. We've seen how quickly phishing has become a reality because QR codes generate a prefilled SMS (text message) or link (hyperlink) that looks trustworthy, especially on mobile devices. For companies, the only solution to this problem is to use QR codes to go to a different (landing) page, it should always go to a landing page that is branded (has the company's name on it) and is hosted on a HTTPS (secure) server. Consumers need to understand that they are going to interact with a specific brand when they scan the QR code, this builds confidence. Without branding, consumers will be unsure and might abuse the QR code. QR codes should not be a trigger to act, but rather an entry way to act.
I believe text message QR codes can be safe for business use when they are clearly branded and sent only to people who expect them. The biggest risk is trust. When recipients recognize me as the sender and understand the purpose, QR codes feel convenient instead of suspicious.