Use of QR Codes

In recent years, QR codes have become a very popular way to direct consumers to websites, coupons, etc.  Unfortunately, as with most things once they become popular, criminals look to see how they can take advantage. For example, the City of Houston recently reported fake QR codes stuck to parking meters enticing unwitting drivers to scan the code, and hand over their payment details believing they were paying for parking, whereas they were actually handing over their payment information to the criminals.  As a result of the rise in QR code fraud, this past January the FBI issued a warning regarding QR codes and the potential for misuse - https://www.ic3.gov/Media/Y2022/PSA220118   

As a result, while there are no official UHS restrictions on the use of QR codes, we do discourage their use.  We know they make things easy and unfortunately, that’s the problem.  They’re also easy tools for taking advantage of people. Fake QR codes inserted over legitimate codes can easily be used to redirect applications and web browsers to malicious sites and then subsequently used to gather personal and financial information from unsuspecting users or to infect the device with malware.

Recognizing the user-friendly reasons for using QR codes on campus signage and flyers, we are working on a process to be able to generate campus-specific QR codes in the future.  In the meantime, if UHS departments wish to use QR codes on signage or flyers please follow the recommendations below to protect our university patrons from QR-related scams:

1. List the URL immediately above or below the QR code providing the location where the QR code is supposed to be taking the user.  This will also help the user access the website directly in the event the QR code doesn’t work on their device.
2. Do not ask users to enter personal or financial information at the QR site and include a notation about this on the signage/flyer.  This will allow users to know what to expect at the QR site and to be concerned if they are asked to provide information otherwise.
3. If the QR is used on signage, establish an internal procedure for verifying the QR codes on the signs have not been compromised. This procedure should include regular testing to ensure the signs have not been altered and confirming the QR code is still sending users to the proper location.    

If you have questions or need additional guidance, please contact UHS Information Security at security@uh.edu.

Thanks for your assistance in keeping our users safe from QR scams!