Subhransu Nath thought he was doing the right thing. After buying a new gaming mouse from electronics brand Portronics, he scanned the Quick Response (QR) code on the box to register his warranty. Instead of landing on the company's website, his phone opened a gambling site.
He wasn't alone. Across social media, other customers shared similar stories—some were redirected to adult websites, others to pages demanding random payments. What should have been a simple warranty registration turned into an uncomfortable surprise.
Portronics later acknowledged the issue and said it had been resolved. But the episode highlights a larger, and often underestimated, security concern: those innocent-looking square codes we scan every day might not always take us where we expect.
The Hidden Risk Behind the Square
QR codes are everywhere now. We scan them to pay at restaurants, check parking meters, and access product information. They've become so common that most of us don't think twice before pointing our cameras at them.
The automatic trust on these squares is exactly what makes them dangerous, says cybersecurity expert Ashish Jha. "Many people scan QR codes without verifying their source or previewing the URL—an automatic trust that hackers exploit. Once scanned, a malicious QR code can lead users to websites that install spyware, steal payment information, or trick them into making payments.”
The problem is simple: unlike a regular web link, you can't see where a QR code will take you until you've already scanned it. And by then, it might be too late.
These codes contain URLs or instructions that our mobile phone decodes upon scanning. But since the actual URL behind a QR code isn’t visible to the naked eye, it’s easy for malicious actors to hijack or tamper them.
These codes can be tampered with during the printing stage, where fake QR codes are inserted into packaging, or later in the supply chain, where stickers with malicious codes are pasted over genuine ones.
QR Code Tampering—From Stickers to DNS Hijacks
QR code tampering isn’t limited to physical manipulation. It can take multiple forms—both offline and online—and each poses a different kind of threat. Experts told Decode that these attacks often exploit gaps in packaging protocols or digital infrastructure, and can be difficult to detect at scale.
Security researcher Renganathan P explained that a common offline tactic involves placing a sticker with a fake QR code over the original. “Anyone can print a small square with a malicious code and stick it over the genuine one,” he said. “The issue is that you can’t tell the difference visually. Unlike web links, QR codes give you no preview.”
This seemingly low-tech method becomes especially dangerous when it occurs upstream in the supply chain. “If tampering happens before the packaging is sealed—say at a warehouse or vendor site—it can slip through quality checks and reach thousands of customers undetected. A single compromised batch could end up in the hands of a lakh users in one day,” he warned.
This type of attack, known as a supply chain compromise, is difficult to execute but potentially devastating.
“The feasibility depends on how strong the company’s SOPs are—things like secure printing, sealed packaging, and checks during distribution,” Renganathan added. “When those processes are weak or inconsistent, exploitation becomes easier.”
But tampering doesn’t always involve someone physically interfering with the packaging.
Cybersecurity expert Ashish Jha pointed out that QR codes are also vulnerable through purely digital means. Many companies use them to link to domains created for time-bound campaigns—like festival discounts or limited-time offers. These domains are often left to expire once the campaign ends, opening a backdoor for malicious actors.
“If a bad actor notices the domain is no longer in use, they can register it and redirect the original QR code to a malicious site. To the user, it still works—but now it takes them somewhere dangerous,” Jha explained. This is a classic case of DNS hijacking, where the domain name system behind the scenes is exploited.
A related risk is subdomain takeover, where attackers seize control of an inactive or poorly monitored subdomain that’s still linked to a trusted main website. “Even if the parent website is secure, subdomains often get overlooked,” Jha said. “From a user’s perspective, everything looks legit. But scanning that QR code can land them on a server the original company no longer manages.”
Can We Trust Our Phones?
When it comes to individual safety, Renganathan said today’s smartphones do offer basic protections. “Nothing happens without your knowledge. If I scan a QR code, I get a prompt—‘Do you want to open this link?’ or ‘Authenticate login?’—and I have to approve it. Phones won’t just debit money without any action from the user,” he said.
However, he acknowledged that physical tampering remains a risk—particularly with UPI or payment QR codes displayed in shops. Owners, he advised, should regularly verify that the code still belongs to them. “Scan it yourself. Check the name. A little vigilance helps,” he said.
Another rising concern is social engineering, where users are tricked into granting permissions they normally wouldn’t. For instance, a fake pop-up might mimic a bank login, prompting a user to ‘allow’ access. “The scam isn’t in the QR code itself but in how the attacker manipulates the person scanning it,” he said.
From a business standpoint, he said, the challenge is scalability. Ensuring that every product’s QR code is secure slows down distribution. “If you’re shipping from Delhi to Chennai and you add a day to verify lakhs of codes, it could cost crores,” Renganathan said. While enterprise-grade QR scanning solutions exist, he added, they are expensive and hard to implement without disrupting logistics.
“Businesses will always optimise for speed and cost. So unless security is built into those priorities, it often gets sidelined,” he said.
How To Stay Safe From QR Code Scams?
Jha offered a few practical ways to stay safe while using QR codes. He pointed out that users with some tech awareness can often spot a phishing attempt. “If you’re being redirected through multiple URLs before landing on a site, that’s a red flag,” he said. Tools like VirusTotal or mobile antivirus apps can also help detect if a link is malicious. “They let you check the integrity of a URL before opening it.”
Speaking about his own company’s approach, Jha said they embed their logo into the QR code and ensure that scans lead only to their official website. “Our QR codes link to tutorial videos, and we never redirect users to third-party sites. That lowers the chances of spoofing,” he explained.
He also advised against using shortened URLs in QR codes, especially for long-term campaigns. “Shortened links are redirect-based and can be hijacked. If you must use them for short periods, make sure they expire after the campaign ends,” he said.
Some companies go a step further by printing a unique code on their product packaging that matches one shown on the webpage the QR code leads to. “If the codes don’t match, the customer knows something’s wrong. It’s a simple but effective way to verify authenticity,” Jha said, adding that such practices evolve over time as companies learn from past attacks.
As QR codes become even more common, these security challenges aren't going away. The Portronics incident was resolved quickly, but it won't be the last time customers encounter malicious codes.
The solution isn't to stop using QR codes—they're too convenient and useful. Instead, it's about building better security practices, both for companies creating them and customers scanning them.
Until then, that simple square on your next purchase might deserve a second look before you scan.