The recent Coinbase ad on the 2022 Super Bowl telecast has turned into a litmus test for the cybersecurity profession. Many professionals were dismayed, some to the apparent point of outrage, that Coinbase would show a QR code and expect people to just scan it without reference. Cautious cybersecurity professionals said they would never scan the code and discouraged others from doing so. On the other side, those who took no issue with the QR code accused the cautious professionals of being proverbial “Chicken Littles,” yelling, “The sky is falling!” They claimed that QR codes are safe and the use of the code in the ad posed no risk. The reality was in between, but I believe it is more to the side of bad.

First, let’s acknowledge that the risk associated with a QR code in a Super Bowl ad is almost nonexistent. Coinbase is a legitimate organization. They spent millions of dollars to scroll a QR code across a screen for 30 seconds. The network, NFL, and probably an army of lawyers likely examined the QR code and the associated landing pages to ensure that it met all legal and ethical standards. Concerns that the link was not safe to click on are not reasonable given the risk within that context. Whether or not the ad itself is effective is not relevant to the cybersecurity concerns.

That being said, there are other concerns, none of which are directly related to Coinbase or the ad itself. Now, I assume that criminals and others are creating fake versions of the ad and QR code. The fake versions will send people to potentially malicious sites, a result that is inevitable based on my experience. People are talking about the ad, and it is likely that people are searching for the ad or QR code to see what they missed. Criminals will expect this natural curiosity and exploit it.

Cybersecurity professionals have been advocating that people not go to random websites and click on random QR codes as they may lead to malicious websites. The problem is that displaying just a QR code on TV, while it may be safe in this context, encourages people to click on random QR codes, which might be unsafe. That is a reasonable concern.

The Internet is safe for commerce, communications, and other purposes when used properly and safely. And QR codes can be safe and reasonable to follow if they are in a safe context. (I admit that is vague, but it is situation-dependent.) However, it is ironic that the Super Bowl ad came out within a month of the FBI Internet Crime Complaint Center (IC3) releasing a warning of tampered QR codes.

Awareness and cybersecurity professionals have been trying to improve the cybersecurity behaviors of users. A critical behavior is exercising caution when browsing and following links on the Internet. A prominent part of that is not to follow random QR codes, which is essentially what the Super Bowl ad had people do. While I did say the QR code in the Super Bowl ad was in a safe context, it is a fine line, and you need to expect many users not to understand the difference. While a QR code on TV might be safe, it is not safe to look up and click on the seemingly same ad on the Internet. Likewise, it is hard for many people to understand why it is OK to follow an unmarked QR code on TV but not an unmarked QR code in a shopping mall.

Companies have a right to do anything that is legal, and for the record, there is nothing that is unethical about the Coinbase ad. It just encourages behaviors that cybersecurity awareness programs discourage, and this isn’t the only case where situations came up that might be against recommended security practices. Consider the recent case where a lottery commission sent an email to a user to inform the person they won the lottery or a case where a casino emailed a person to inform them they won a jackpot.

QR codes are similar to short URLs, but they trigger behaviors in a different way. You must admit that the Super Bowl ad only worked because of curiosity about the unknown. A random QR code without reference will spark people’s curiosity in ways that short URLs do not. The problem is that criminals place tampered QR codes in random places without context and then exploit them, as the IC3 warning shows.