Is That QR Code or Web Link Safe?


The links to web pages can be many-characters long, and computers are very unforgiving of even the smallest data entry error. Designers realize this, so they’ve created “shortcuts”—tools that compress those lengthy web URLs into one-click or easy-to-type links. The QR code—that square random-looking collection of pixels you photograph with your smartphone—or the link shortener, a new shorter URL that starts with or, make web browsing easier. Better, right?

As with most technology, there can be a downside to these new conveniences. Because you can’t see the actual location of the web site (it’s hidden in the QR code or shortened link) you may be redirected to a different web site. That site may have malware that loads on your computer, or it may be a porn site or other malicious address. The QR code or shortened link may also be “clickbait”—a web site that gets a commission on all referrals but is just an intermediate site for the one you originally requested.

When you use your smartphone camera to view a QR code, a few seconds’ delay should show you the actual link you’ll be going to. If it doesn’t, you should be cautious and not go to the site.

As with any link you see on a web page or in an email, hover the mouse cursor over the link BEFORE you click it. After a few seconds, you should see the actual site that the link will take you to. You can then assess whether it looks legitimate. 

But the problem with link-shortened URLs is that all you’ll see is the shortened link. However, if you copy and paste the shortened link, add a plus sign (+) to the end of the link and press Return, you’ll see the actual link. This can tell you if it’s real or a mis-direct.

What is a “real” website? This can be complicated. Some URLS are easy—think—but often even legitimate websites have disguised full names. You might go to click on a link in an online car sale ad and see… Is that malicious? Actually no—it’s a “content delivery network” or CDN. This euphemism means that a third-party Internet provider has a large data center (probably thousands of physical file servers) and leases space to the owner of the actual website. The link in that email to the for-sale ad is routed through the CDN and then to the seller’s web site. They do this so that smaller web servers aren’t overloaded with internet traffic. The CDN serves as a leveling mechanism for web traffic. So, it’s not malicious, but it makes it hard to tell that the real site is or is not benign.

As with all things on the internet, a little paranoia can go a long way. If a QR code is on the registration card with your new dishwasher, it’s probably OK. If it’s on a flyer tacked to a utility pole, think twice before using it. 


Please enter your comment!
Please enter your name here