How Your Business Can Fight Back Against QR Code Fraud
September 25, 2023
Consumers expect the speed and ease of use of digital commerce, and companies are taking advantage of QR codes to serve them. QR codes allow anyone with a phone camera to open website URLs to complete various tasks, from reading a menu to making online payments.
Unfortunately, cybercriminals are using QR codes, too. The two-dimensional barcodes enable crooks to gain victims’ personally identifiable information (PII), access their financial accounts and take control of their mobile devices.
In addition to protecting customers, you must protect your company from the backlash of QR code fraud, including reputation hits, financial losses and possible legal action.
Ubiquitous technology that’s simple to fake makes an attractive target for criminals. In early 2022, the FBI issued a QR code scam alert and the Better Business Bureau followed up with updates on the latest scams. Why the uptick in crimes?
· Easy to create. Codes can be produced in mere minutes by any number of online sites.
· Difficult to detect. QR codes were initially created for computers, not humans, to read. A code that’s been tampered with is very hard to spot with the naked eye.
· Hiding in plain sight. Malicious QR codes are placed everywhere real QR codes are found, including restaurants, business signage and email, making consumers less suspicious.
· Web technology. A bad QR code takes consumers to a malicious site (fake log-in, fake pay, malware download). The URL that pops up when the code is clicked is small and hard to read, and scammers have become skilled at developing convincing landing sites.
Types of QR code scams
QR code fraud gives thieves access to financial accounts, PII and mobile phone data in two steps. The first step is the QR code, which is like a pathway. It leads the victim to the malicious site (website, payment site, log-in page, app download), which is where the actual theft of data occurs.
Current scam tactics include:
1. Online payment for physical locations, including restaurants and parking meters. The QR code takes victims to a payment site to enter their credit card information, sending it directly to the scammer.
2. Online marketplaces, like eBay and Facebook. In one version, a buyer (scammer) states they’re interested in a seller’s (victim’s) item. To ensure the seller is legitimate, the buyer asks the seller to scan a QR code to verify where the money is going. The QR code links to a site requesting the seller’s banking information.
3. Bank, government and utility phishing. Similar to long-standing phishing schemes, these emails or texts appear to be from a trusted source, asking the victim to scan the QR code and input their information on the landing site.
4. Code virus that downloads malware to a victim’s phone and can act as a trojan horse, a keylogger that tracks every keystroke (password, SSN, financial information) or a ransomware scheme that locks the victim out of their phone until they pay the thief to return access.
BUSINESSES FIGHT BACK
There are numerous ways companies can stop scammers in their tracks.
1. Physical barriers. Store any collateral or signage with your QR codes in a secure location during off-hours.
2. Inspection. Check your QR codes to ensure no one has placed a new QR code over the top or otherwise tampered with them.
3. Testing. Use mobile devices to check that your QR codes go to the correct website or ordering platform.
4. Education. Teach your employees about QR code fraud so they don’t fall prey to business-focused scams. Train them to educate your customers. The FBI offers excellent QR code safety tips and tricks.
5. Branding. Put your logo and company name on anything with a QR code so it’s harder to switch out for fraudulent codes.