HomeCyberThink Before You Scan: QR Code Safety for Cybersecurity Awareness Month

Think Before You Scan: QR Code Safety for Cybersecurity Awareness Month

In our August 15 LST Live! In this session, we highlighted simple, high-impact steps that everyone can take to reduce risk—starting with the tiny black-and-white squares we scan every day. The Cybersecurity Awareness: QR Code Insights segment walked through how attackers misuse QR codes and what to do when one appears in an email, on a flyer, or even on an unsolicited package. (If you missed it, grab the recap email and watch the recording.) 

Why QR Codes are a Growing Target

QR codes make it fast to open links, pay, check in, or grab a document. That same convenience is why attackers use them: a single scan can redirect you to a spoofed website, trigger a malicious download, or prompt you to enter credentials on a look‑alike page. We also flagged a newer twist: unsolicited packages that include a QR code, intended to lure recipients into scanning and handing over personal or financial information—a QR‑assisted variation of a “brushing” scam.

The 10‑second SCAN–PAUSE Checklist

Before you point your camera at any code, run this quick mental check:

  • Sender — Who put this here? Treat unsolicited or anonymous QRs as hostile by default.
  • Context — Does it make sense? A “security update” QR on a lobby poster or a code taped onto a parcel is a red flag.
  • Address — Preview the URL. If it’s shortened, strange, or misspelled, don’t tap. 
  • Network — Choose a safer path. Prefer known, trusted connections—and when possible, navigate manually by typing the known site instead of following the QR.

If anything feels off, PAUSE and report it.

Do’s and Don’ts at LST

Do

  • Use approved paths for company systems (benefits, timesheets, learning). If a QR claims to link to an LST/Tetra Tech system, bypass the code and log in via your normal bookmarks or the corporate portal.
  • Report suspicious QRs (emails, posters, packages, or labels in shared spaces) through our standard IT Security channels. Share the location and any context; do not scan to “test” it yourself.

Don’t

  • Don’t scan QRs from unsolicited packages or anonymous flyers.
  • Don’t run your own scans or probing tools—vulnerability scanning is restricted to authorized Security personnel per policy.

Where to Learn More

  • For our employees: Watch the August 15 segment and review the LST Live recap for the Cybersecurity Awareness slides and links.
Who We Are

Since our inception, we have partnered with the government to deliver services aligned with our customers’ plans, missions, and project goals.

Learn More
Skip to content