For the uninitiated, Coinbase — a cryptocurrency exchange — ran a 60 second spot that featured a QR code bouncing around in a way reminiscent of old DVD screensavers. It was a roaring success. Coinbase claims it witnessed over 20 million hits in a single minute on its special offer of $15 of free Bitcoin for new sign-ups. Of course, take the visitors figure with a pinch of salt. The number comes from the company itself, meaning the story could be summed up as “Coinbase says its own advert was actually super, duper popular, thank you very much.” Despite the numerical murkiness, we can agree it was a successful advert. Yet this obscured a fundamental truth of the modern world: we really shouldn’t scan random QR codes. Yes, you can argue that the Coinbase advert wasn’t “random” — it was aired during one of the most prominent television spots in the world, after all — but that’s missing the point. “It’s notable how many facets of the cryptocurrency world mimic social engineering scams,” Max Eddy wrote for PC Mag. To put that another way, Coinbase is normalizing a potential security vulnerability. By running this advert, it gives people the impression that scanning a context-less QR code is, well, totally fine. Not a good stance for a company that should secure your financial assets. “The pandemic has seen a proliferation of QR codes,” Ben Wood — Chief Analyst, CCS Insight — told me. “But as with all electronic interactions, users need to be careful they are not following a fraudulent link.” This is particularly true in locations where “the QR code could have been tampered with.” Think public places, like car parks or shopping centers. In these situations, a rogue QR code is similar to a phishing email. To me, the difference is society at large seems far more aware of the dangers of this sort of attack. While many would be unlikely to click on a dodgy link in a weird text, there doesn’t seem to be that same reticence when it comes to scanning random QR codes. And all the Coinbase advert did was reinforce the idea that it’s nothing to worry about. So, what happens if you’re uncertain if a QR code is fake? Take Wood’s advice: “if something looks wrong it’s best to double check… it’s a legitimate link.” In other words, Google is your friend. Rather than following the QR code, search for the website it’s asking for you to visit. Look for the security certificate. Ensure it is what it says it is. So, I reiterate: you really shouldn’t scan random QR codes. And, if possible, tell your less tech-savvy friends and relatives the same thing. It could save them from being scammed at some point down the line.