Intro
It may be worth “thinking before tapping” QR codes like one would treat links in unsolicited email. Fortunately it’s simple.

Intermediaries
Search “QR code generator” and you’ll get a few billion results, like “Fast Eddie’s QR Code Generator and Hubcap Emporium”.

QR codes are trivial to create, many are free, and thus numerous services generate them for virtually anything—sites, email, phone, and likely at least a dozen other uses.

Typically someone simply enters what they want encoded – let’s say their site’s address. The code is generated, they download, test and, presto, they’re at their site and the image is sent to the printer for coffee mugs, banners, dog sweaters, car window decals, etc.

However, few take you directly to the destination. Instead, and this appears “transparent”, you’re first taken to an intermediate site then redirected to the destination. This may present concerns such as what’s on that site and what’s it collecting?

Checking
QR readers (normally the camera) should first present a prompt indicating the code’s address. If not, maybe that feature is disabled or time to use a different reader because, well, we want to check whether the code takes us first to an intermediate site.

For example, this code (obviously not possible to test if you’re reading this on mobile without another device or a friend) takes you directly to this site, and assuming your reader prompts, it will indicate “www.sector7g.com”.

On the other hand, others prompt for an intermediary, like “qr.coderedirect.ninjas”, fictitious but illustrative, then send you to the final site, but who knows what “qr.coderedirect.ninjas” has gathered from your brief visit and what they plan to do with it (we understand intermediaries are used for “QR campaigns”, but this article is written for users).

“Think before you tap”
What is the destination, is there an intermediary and, most importantly, do you trust where the code will take you? What’s there? Malware? Some site you’d rather not visit for other reasons? It may be prudent to treat codes no differently than you would links in email, i.e., “think before you click (tap)”. While mobile is generally less susceptible to exploit than other devices, they are far from immune.