What is QR Fraud?6 min readReading Time: 4 minutes
QR Fraud usually involves cybercriminals printing fake QR codes and sticking them in public places like parking lots, restaurants, and supermarkets to trick customers into transferring money into their accounts.
Most of us actively look for QR (Quick Response) codes stuck on shop walls or kept on restaurant tables to make payments, read menus, and access product information. A QR code looks like a matrix barcode that is instantly read by your smartphone camera.Image Credit
Scanning a QR code is undeniably the most convenient way to complete an action. Users open their camera or any app that reads QRs, scan a code, and are redirected to a website or document to further interact with it.
Due to the convenience and speed offered by QR codes, a whopping 11 million households in the USA scanned them in 2020 alone. A majority of these scans were to make payments. QR codes indeed make life easier, but, as is usually the case, we must accept good with bad. Therefore, the flip side of this innovative solution is that cybercriminals use it to commit fraud.
The most common QR scams
With a substantial uptick in QR adoption during the pandemic, cybercriminals spotted several opportunities to dupe users by printing fake QR codes and sticking them at popular locations like parking lots, restaurants, and supermarkets.
For example, 30 fake QR code stickers were found on parking meters around Austin, Texas, that took motorists to a fake website rather than the official app and collected their complete credit card information.
This is called QR payment fraud and is one of the most common QR scams. Here, unsuspecting individuals scan codes that they think are authentic and willingly make payments to the wrong accounts, only to realize their money has been stolen.
It doesn’t stop here, though. Here are a few other QR scams you must know about.
QR phishing attack
You’re probably no stranger to phishing scams where cybercriminals pose as representatives of your bank or any other trustworthy entity. They tactfully get you to reveal sensitive data like credit or debit card details to dupe you off funds.
While these phishing attacks once directly asked for personal details over phone calls and emails, potential victims got smart and started ignoring such communication. This is when scammers got crafty and turned to QR codes since there are still a good fraction of people who haven’t fully grasped how to verify the authenticity of a QR.
Cybercriminals now share flyers and emails that contain QR codes that take you to websites that look trustworthy. These fake sites will ask for your personal information and often provide a link to make a payment or store your credit card details.
In another instance, a group of cybercriminals represented themselves as Rabobank – one of the largest Dutch banks, and sent emails to people intimating them of their debit card’s expiry. This email newsletter also carried a QR code, which a user had to scan to receive a new card. Of course, none of this was real, and it was a sincere attempt to steal sensitive card information and use it to make payments.
Face-to-face QR scam
The fraudster will approach you physically to feed you a fake story of how they are in desperate need of a small amount of money – they’ll tell you how they lost their wallet or forgot it at home and how they desperately need to pay for their parking spot, or some medicine, etc.
They will then produce a QR code on their phone and request you scan it to transfer a nominal amount, which they will promise to repay in cash. By scanning their QR code, you’ll end up providing them access to your online banking information. Several victims of this QR scam have lost hundreds of dollars. So, beware!
What is E-commerce QR fraud?
Cybercriminals approach retailers on online marketplaces claiming to buy goods. In return, they’ll ask you to scan their QR code so they can transfer money. This is a complete lie, as by scanning their QR code, you’ll supply your bank details.
How to shield yourself from QR fraud?
To shield yourself from all QR scams listed above, you must follow the same best practices. These include:
Validate QR codes received through emails
Always double-check any message or email you receive from your bank or any other entity that contains a QR code. You can directly call the bank or any other relevant authority. If they validate the QR code, you can go ahead and scan it. If they don’t, you should probably report this suspicious activity.
Check the URL linked to the QR code
Wherever you scan a QR, be it near a store, a parking lot, or your inbox, double-check the URL link it opens. If the URL is not what you expected the merchant URL to be, close the app instantly.
For example, amazon.com is okay, but amazon.bdsf.com is not!
Use reliable apps for scanning a QR
Whenever available, stick to reliable apps like Google Pay or Apple Pay to scan QR codes. This way, a credible third-party vendor will mediate the payment and save your credit and debit card details without transferring them to the merchant.
Say no to scanning strangers’ QRs
If a total stranger approaches you physically or online requesting you to help them make a payment by scanning their QR code, say no. After which, if possible, report this interaction to relevant authorities.
Check surroundings where QR codes are stuck
Always scan QR codes that are inside gated areas, restaurants, and shops. Avoid scanning them on sidewalks or streets with low foot traffic. Unfortunately, QR fraud can happen anywhere, even inside gated compounds, so double-checking the URL is critical anyway.
Vet the QR sticker before scanning
Often fraudsters don’t put a lot of thought into designing the QR stickers. Therefore, the likelihood of such stickers carrying misspelled words, pixelated logos, and incorrect grammar is high. Make sure you visually vet and proofread the sticker for these sore points before scanning one.
QR codes are an excellent tool for deploying a seamless touchless digital experience – enabling lightning-fast app-less and cashless parking payment in parking lots, for instance, can be done in under 30 minutes, thanks to how fast you can set up QR Codes. It’s impractical to mistrust QR-code based access and payment systems just because of a few stories of fraudulence.
QR codes are safe to use – provided you scan them as per the best practices listed above. They only take a few minutes to accomplish. So, keep our tips in mind and scan away!