QR codes


By Andrew Newman

How this creative business marketing tool can be a double-edged sword, as cyberrisks abound.

Whatever category your business belongs to, 2023’s connected world requires all companies to market themselves via tech and social media, in order to gain popularity and more customers. But equally, in an effort to infiltrate more devices and execute more malware, scammers are increasingly using ingenious methods of exploitation.

Many creative tactics are used for digital marketing communication, but they aren’t without their dangers. For example, pay-per-click advertising, email marketing, and video marketing can be tampered with by malicious actors, with clickbait being a popular vector to lead consumers to phishing sites. Unsurprisingly, RAV researchers found in a recent consumer cybersecurity trends report that phishing is the leading malware distribution method affecting home users today.

Quick Response (QR) codes are another example of common digital marketing, and another possible vector for phishing, as they are the epitome of “security without context”—you can’t interpret the QR code with the naked eye, and so a consumer won’t know what it does until they scan it. So as with any connected technologies, it’s important to examine any possible cyberrisks affecting consumers.

QR Codes: What’s the appeal?

QR codes hit mainstream use throughout North America and Europe in 2020 when the pandemic forced businesses to go contactless. Given the QR codes’ large storage capability and the popular use of mobile devices, these two-dimensional barcodes are designed to be scanned using a smartphone camera and a QR code reader app to provide quick access to information.

They are widely used in various industries, including marketing, retail, and hospitality, offering direct access to websites, contact details, social media pages, and product information, or to perform transactions. Adopting QR codes can help a business in several ways, like for improving customer engagement, increasing sales, and streamlining operations. QR codes also enable QR code login (QRL), a convenient and secure way for consumers to log in to websites and applications without the need for usernames and passwords.

Security without context—is it safe? 

Worryingly, people may blindly scan QR codes without a pause as to what it might entail. Case in point: The Coinbase Superbowl 2022 commercial utilized a bouncing QR code on a giant screen and garnered 20 million hits within one minute of the ad airing. It was an immensely effective marketing move (and funnily reminiscent of The Office’s legendary bouncing DVD opening teaser)—so much so that it temporarily “broke” the Coinbase website.

However, there’s something worrying about the laissez-faire reaction of the audience. In general, it’s safe for consumers to scan QR codes from trusted sources, yet there are potential risks, e.g. codes directing users to malicious websites, or containing embedded malware that allows criminals access to the victim’s mobile device to steal personal and financial information.

Implementing the scams

It can be difficult to know if a QR code is fake or legitimate. Humans cannot decipher the dot pattern, but people can try to confirm whether a QR code was pasted over another one, which could indicate that the new one is fake. QR code readers can often read these codes even if they are dirty or defective, potentially using its software to automatically correct the pattern.

Issues like these introduce a new risk for otherwise legitimate QR codes. The HP Threat Research Team found nearly daily QR code “scan scam” campaigns since last October. These can deceive people into scanning the codes that are trying to bypass less robust phishing detection and protection.

Threat actors can alter QR codes by greying out certain areas, slightly warping square dots in the code, or cloning a login QR code to a fake login page that closely mimics a legitimate online service, known as “QRL-jacking.” In a QRL-jacking attack, the attacker intercepts the person’s QR code login session and uses the device to scan the code to gain access to the user’s account. The attack can be carried out using various methods, such as redirecting the user to a fake login page or using a malware-infected app to scan the QR code.

For QR scams to work, social engineering is required. The consumer needs to be convinced to scan the QR code. Some such scams involve directing users to malicious websites asking for credit and debit card details, or phishing campaigns masquerading as parcel delivery companies seeking payment.

QR code scams often work best in places where the population prefers to go cashless, using their phones to make payments. Threat actors will exploit simple, everyday activities in order to take advantage of people. For example, in 2022 in San Antonio, fake QR codes were detected on parking meters throughout the city. People trying to pay for parking were directed to a fraudulent website to submit payment.

Stay cybersafe

It’s often the minor everyday activities that can drastically affect us without realizing it. Exercising caution and common sense when using QR codes is vital, especially if the user is prompted to enter sensitive information. In this respect, adding a second layer of authentication to online accounts can help protect the consumer.

Other safety guidelines include only scanning QR codes from trusted sources; using a QR code scanner app with in-built security features to detect and warn against malicious QR codes; and exerting caution if a QR code prompts you to download or install anything on your device. Also, check that any page you are redirected to has a legitimate URL, is displaying the HTTPS security indicator, and keep your device’s software up-to-date to ensure it is protected against known security vulnerabilities.

It’s always exciting to adopt new technologies when promoting your business, or being able to easily access information with a single click as a consumer. But staying aware and vigilant will always be a must. Using QR codes as a vector for scams is yet further proof that cybercriminals are diversifying, so we too need to stay one step ahead of the game.

By Andrew Newman

Andrew Newman is the founder and CTO of ReasonLabs

Sourced from FastCompany

By Sam Anderson

We ask a bumper crop of marketers from The Drum Network why the humble QR code it still enjoying its long renaissance, and where the tech will head next.

Packaging, payment, a gateway to augmented reality worlds, and a star of the organized response to the Covid-19 pandemic: the QR code has emerged as the little technology that could. But, deep down, is it all just a gimmick? Is it living on borrowed time? Or is there more growth on the horizon?

Here, leaders from The Drum Network tell us why that relatively low-fi tech has become quietly indispensable to advertisers despite being almost 30 years old, and what tricks it’s still got up its blocky sleeve.

Alessandro Camaioni, UK strategy director, Momentum Worldwide: “February 2022. The humble QR code, mocked for a decade as a useless gimmick, was rescued by turning into an unlikely metaphor for social distancing, eventually surging as the most popular and talked about ad of Superbowl LVI.

“Was that the peak of QR fever? No. As one of the most democratic forms of smartphone technology, it will only become more ubiquitous in line with universal smartphone adoption.

“QR code payments alone are projected to grow from $8bn (2020) to $35bn (2030).

“Behavioral science can explain why QRs are the perfect marketing tool. Visual, immediate, able to offer a kick of instant gratification and reward our curiosity: QRs cut through the noise in a way no other medium can (until AR contact lenses enter our lives).”

Jim Hare, digital creative director, Bulletproof: “Over-communicating the ‘reason to scan’ remains the key challenge – otherwise all content stays hidden. People are happy to scan if the execution is novel enough. Cygames’ drone show, forming a QR in the Shanghai night sky, is a spectacular example.

“But, like anything that takes effort to engage with, QR codes are only as effective as the payoff they provide. Ritual driving is where we’re headed now. Codes that recognize how many times they’ve been scanned and serve up new, sequenced content, provide people with a fresh reason to retain and revisit QRs. Repeated scans form habits and therefore give the tech a longer, more meaningful lifespan – brilliant for brands seeking to drive ritual building or instructive learning.”

Yahye Siyad, diversity & accessibility lead, Cyber-Duck: “As someone with a serious visual impairment, if QR codes (as typically used today) died out tomorrow, almost nothing would be lost in terms of my engagement with brands. Blind people simply don’t know they’re there unless we’re told, and they mostly link off to sites incompatible with screenreaders. For people with motor control impairments, it’s hard to hold a phone (and the object the QR code is on), and scan it. And taking people who’re deaf to audio descriptions or videos without captions is a dead end.

“It wouldn’t take much to rethink this to deliver brilliant, inclusive brand experiences. QR alternatives like NaviLens can be used at long distances, scanning the environment. Near-field communication (NFC) integration could directly ‘ping’ a disabled user’s device via assistive technology rather than having to scan.

“QRs should lead to a choice of accessible content. Without this type of inclusive design thinking, any brilliant potential QR use cases are simply beside the point.”

Del Credle, head of strategy & media, Laundry Service: “Having lived in China, where QR codes are part of daily life, I’ve seen their potential. I used them multiple times a day: buying groceries, exchanging personal details, renting bicycles, opening doors, and paying bills.

“They are not yet being fully realized here in the US. And, while there are endless implications for marketers, the meaningful opportunities lie in their potential for e-commerce and to ease our use of technology in everyday living. We should push to integrate them natively first in our social ads and organic posts.”

Feature Image Credit: Toa Heftiba via Unsplash

By Sam Anderson

Sourced from The Drum

By Jeff Beer

Global chief marketing officer Manuel Arroyo outlines the OpenX partnership with advertising holding company WPP, and how it will drive new brand growth.

Just today alone, 1.9 billion Coca-Cola products will be sold around the world. Now, chief marketing officer Manuel “Manolo” Arroyo is aiming to double its number of consumers very quickly.

“We’re in the process of deploying QR codes in every package available for all of our brands in the next three years,” Arroyo tells Fast Company. “QR codes are arguably the most unexploited and under-leveraged media vehicle that exists out there. Even if you only get a 3% redemption, imagine the return on 1.9 billion per day, what we can do in terms of first-, second-, and third-party data moving forward. One [strategy] at a global scale, and it’s going to take us to very different places.”

The key phrase there is one strategy. Coca-Cola operates in more than 200 countries around the world, and has traditionally—like many global corporations—operated with a complex network of marketing and advertising partners throughout its worldwide business. But last November, Arroyo partnered with advertising-holding company WPP to create a unique partnership that includes a bespoke internal team dedicated to Coca-Cola globally called OpenX. The CMO sees this as a key tool in achieving his overall goals for the flagship Coke brand, and the company in general.

“First, it’s to make that brand an incredible icon and brand, young and relevant again,” says Arroyo. “But also tap into a tremendous growth potential. We should be able to double this brand [consumer base] very soon if we do things right, and if we do it very differently than how we’ve done it in the past 20 years. I think we have a very clear idea of what it takes to get there.”

A significant part of that idea is for OpenX to help his company be more consistent and efficient in its marketing and advertising, on a global scale. Coke spent more than $4 billion on global advertising in 2019. It saw its spending drop by 35% in 2020 but has since gone back to pre-pandemic levels.

“Even though we have reshaped our portfolio into something more focused, we still have more than 200 brands across the world, and we come from an incredibly fragmented way of marketing,” says Arroyo. “Instead of having one-off campaigns that change every quarter, [we want to have] ongoing, continuous platforms. We know we’re doing Christmas for the next five years, so we don’t need five different briefs for Christmas. We just need one platform, and then update it and shape it based on the [consumer] data.”

In February, the company launched its “Coca-Cola Creations” campaign for Coke, which included a “space-flavoured” cola, that’s all part of an overall global marketing platform the company calls “Real Magic.” And in May, it rolled out a new global campaign for Sprite (the first created wholly by OpenX) called “Heat Happens.”

The idea of a bespoke ad-holding company team for a massive client isn’t new. Omnicom Group created the We Are Unlimited team in 2016, at the time to service McDonald’s (folded in 2019), as well as Team X last year for Mercedes-Benz. WPP itself has tried these models before, in 2006 with Team One for Ford, and Team Energy for BP.

The basic idea is that a global advertising-holding company, with its many agencies and specialties, combines its capabilities into a single, custom-made entity for a major client. It’s an idea that hit trend status a few years ago, only to have some brands swing back to a more traditional multiple-agency model. (In the U.S., for example, both Ford and McDonald’s have picked indie agency Wieden + Kennedy for major ad work.) Prior to OpenX, Coca-Cola worked with about 4,000 different agency partners around the world. Arroyo and Laurent Ezekiel, OpenX CEO and WPP chief marketing and growth officer, insist things will be different this time.

The key is a single contact point, as well as a single P&L, giving Coke a simple partnership format, and preventing WPP’s various stakeholders from competing internally for parts of the business—two things that have often muddled these types of partnerships in the past.

Last year, Domino’s chief marketing officer Art D’Elia lauded the simplicity of an independent agency partner over the complexity of a holding company, telling AdAge, “I really feel that the independent agency model gives us more flexibility and less distractions.”

Another significant development in the OpenX model is that it not only allows, but insists, that if an outside competing agency can help, Open X is obligated to collaborate. It’s all in the name of finding the best possible work for Coke, and removing as many barriers for finding it.

“In a partnership like this with WPP, they’re putting skin in the game on our metric—growing our consumer base—and that will define success for The Coca-Cola Company in terms of marketing,” says Arroyo. “And they’re ready to be compensated or penalized, based on mutual achievement there. So Laurent’s achievement will be the same as what I report to my CEO.”

Ezekiel says this partnership has the potential to influence work beyond a single brand and agency. “I tell my team that we’re in the position to architect the future here,” says Ezekiel. “Genuinely writing a new page in marketing history.”

By Jeff Beer

Jeff Beer is a staff editor at Fast Company, covering advertising, marketing, and brand creativity. More

Sourced from Fast Company