A lot of GS1 2D conversations still sound like an IT project. Can the scanner read the code? Can the POS parse the data? Those questions matter, but they miss the biggest public-facing change: many of these 2D barcodes will be scanned by customers with an ordinary phone camera.
That changes the threat model. The moment a product code becomes a link to product information, instructions, or warranty help, the pack stops being only an identifier. It becomes a customer-facing entry point to the web. If that scan lands on a spoofed page or bad redirect, the customer blames the brand on the pack, not the attacker behind it.
If customers can scan the code, treat it like a public webpage printed on every unit you ship.
Why customer-facing GS1 2D is the real security shift
This is not a fringe use case. In the GS1 retail 2D guideline, QR Code with GS1 Digital Link is explicitly positioned for consumer engagement and full mobile-device compatibility. In the GS1 system architecture guide, GS1 also notes that the default link for smartphone use will often be a product information page. In plain English: the code on the pack is meant to be used by the public, not only by staff.
That is why sloppy rollout is dangerous. A warehouse operator using a specialist app may scan a structured data carrier and stay inside a controlled workflow. A customer using the default phone camera usually sees a URL and opens a browser.
GS1's consumer engagement guidance makes the opportunity clear: a brand can update the destination content without reprinting packaging. That flexibility is useful, but it also means your resolver, domain, and redirect rules become part of the product itself.
How QR spoofing hits legitimate product codes
A bad sticker goes over the real code on a shelf label, in-store sign, secondary sticker, or other customer-facing surface. The FBI warned on January 18, 2022 about physical QR tampering, and the FTC repeated on December 6, 2023 that scammers cover legitimate codes with their own.
A copied pack can carry a copied or modified 2D code. To the customer, it still looks like the brand's package. That is exactly why GS1 says batch, lot, serial, and traceability data can help fight counterfeiting when the data is actually captured and checked.
The printed code may be genuine, but the destination can still be unsafe if the redirect chain, domain ownership, or resolver permissions are weak. If a third party can silently repoint the destination after print, you do not really control what your customers will open.
The packaging context lowers suspicion. People are trained to distrust random emails, but they are more likely to trust a code printed on a product they just picked up or bought. That is why quishing matters here. In a November 4, 2024 security post, Microsoft said some QR phishing campaigns were growing 270 percent per month and reached 3 million blocked attempts per day at their peak.
What brands and retailers should lock down before rollout
Consumer-safe rollout checklist
- Use a brand-owned HTTPS domain:GS1 guidance recommends using your own domain, ideally a dedicated subdomain reserved for product identification. That gives customers something recognizable to trust and gives you control over the redirect path.
- Redirect to product information, not payment or login:A pack code should open product content, instructions, traceability, or support. If the first screen asks the customer to log in, reset a password, or make a payment, you are training them to ignore phishing signals.
- Keep resolver changes under change control:The GS1 code may stay on the pack for months or years. Marketing campaigns change weekly. Resolver ownership, DNS, redirects, and content publishing need production-style approval, not casual CMS edits.
- Ban shorteners and mutable third-party QR services:They hide destination clarity from the customer and create a single point of redirect abuse.
- Publish one trusted scan domain consistently:If your products always resolve through the same clean brand domain, shoppers and support teams can learn what normal looks like.
- Inspect every customer-facing secondary label:Fresh-food labels, shelf talkers, promo stickers, and retailer-applied QR labels deserve the same scrutiny as the product code itself. Use the fingernail test to feel for raised sticker edges.
- Monitor scan analytics like a security signal:Strange geography, unexpected device mix, spikes on a low-volume SKU, or sudden traffic to a retired campaign path can all indicate cloning or redirect abuse.
This is also why clean labeling still matters. If customer-facing codes sit beside sloppy secondary stickers or badly placed promo labels, spoof detection gets harder. Our barcode labeling best practices guide is still relevant here, but the security goal is different: helping people recognize what a legitimate scan point should look like.
Do not lose the security upside
None of this means GS1 2D is a bad idea. The upside is real. Richer on-pack data can improve recalls, authenticity checks, and traceability. GS1's Digital Signatures guideline, ratified in January 2026, points toward scan-time authenticity verification, and the retail guideline notes that granular identifiers combined with traceability data can help prevent product counterfeiting.
But that upside depends on customer trust surviving contact with the real world. If the code on the pack becomes synonymous with random redirects, fake overlays, or browser warnings, the consumer program will fail long before the technical standard does.
Final takeaway
The hard question is not only whether your systems can read GS1 2D. It is whether every customer scan reaches a domain you control, a page you intended, and a flow that does not train people to accept phishing behavior.
Next step: run one customer-scan walk-through this week. Scan the live code with a normal phone camera, check the visible domain, follow the redirect chain, inspect nearby labels for overlay risk, and ask one simple question: if a shopper saw this for the first time, would they know it was safe?