Kim, a high school senior in Los Angeles, spent the entire 2021-2022 school year raising funds for college. She had been accepted to her number one choice of universities, UC Berkeley, and was applying for every scholarship she could find.
One scholarship, promoted by a vague East LA community organization, promised $10,000 to five qualifying seniors. Kim received the flier for the scholarship in the mail, and there was a QR code at the bottom of the handbill that directed her to a suspiciously lean signup form. The form had no essay prompt, nor was there a place to list extracurriculars.
There was, however, a prompt asking applicants to input their banking details. The instructions stressed that this was so the funds could be quickly transferred to the winners.
Kim was not born yesterday. She knows a scam when she sees one.
And so, Kim took a photo of the flier, QR code blurred out, and posted a warning to her friends on Instagram that someone in LA was trying to scam high schoolers and their parents.
Lots of QR code scams end with a thud like this one. Some, however, actually work. It takes only a little effort and money to run a scam like the one above. Scaling is easy, too. It is just a matter of printing more fliers. And the scammer only needs a handful of people to fall for the scam to produce a massive return on investment.
At the beginning of the year, Featurespace Founder David Excell predicted that consumers in North America and Europe would finally embrace QR codes for payments, as has been happening in other parts of the world for years.
That prediction appears to be coming true. Right now, consumers in these regions primarily use QR codes to navigate to a payment gateway, not to facilitate a transfer. The challenge now is to mitigate the risk of fraud that comes with this new consumer behavior.
Chris Dorrington, Featurespace Subject Matter Expert, looks at the type of scams that are proliferating as a result of QR code adoption, and how people can protect themselves against such scams.
We are still on the QR code learning curve
Before the pandemic, consumers in Asia-Pacific were already familiar and comfortable with sending money and making payments via QR codes.
In North America and Europe, this was not the case pre-2020. But as restaurant menus went digital and vaccination-status documents entered our lives, the QR code became familiar.
Too familiar, perhaps. Casey Ellis, Founder and CTO at cybersecurity company Bugcrowd, told TheStreet in May 2022 that a person’s comfort with QR codes can make them a decent target for fraudsters.
“Once you’ve gotten used to scanning a QR without thinking about it from a security standpoint, it becomes a pretty attractive payload delivery vehicle for attackers,” Ellis said.
QR codes used in phishing emails are also not picked up as often by security software when compared to attachments or bad links. Given the increasing use of QR codes and its popularity, there appears to already be an element of trust that the customer cannot be scammed or phished.
Popular QR code scams
Consumers are far savvier and on the lookout for phishing links and attachments in emails due to extensive education initiatives by the banks, but the same education has not been seen with scanning a QR code. It is impossible for a person to read a QR code, and that’s the basis for QR code scams. We have no idea what is on the other side of a QR code scan. We can only trust that it will take us where it says it will.
Most scams play on that trust. Here are some common examples:
- Fake codes at payment kiosks. This is common in paid parking lots, where you often see a sign instructing drivers to scan a QR code to make their payment. Scammers can then print a new, same-sized QR code that directs users to a fake website, where they make what they believe is a payment to the company that manages the parking lot.
- Fake parking tickets. This scam is similar to the one above. Someone places fake parking tickets on cars with instructions to pay the fine via QR code.
- Phishing emails. Scammers send people emails with QR codes. The email instructs the user to scan the code, which takes them to a site, or a form designed to steal personal information.
QR codes can also have embedded malware, for example, or consumers could be asked by a stranger face-to-face to scan a code on their phone.
So far, however, the QR code scams most widely reported in North America and Europe prey on people who are willing to input personal information or make payments on whatever page they are sent to.
How to protect consumers from QR code fraud
More education is required. There is a misunderstanding that QR codes are secure and cannot be used for fraud. More information needs to be shared warning of the dangers, especially with an increase in phishing seen through QR codes.
In early 2022, the FBI issued guidance to help consumers spot QR code scams. The FBI’s recommendations include:
- Check the URL of the site a QR code sends you to.
- Check any physical codes you scan to ensure they have not been tampered with.
- Never downloading an app via QR code.
- Contacting the person or company who sent you a QR code to make sure it is legitimate.
- Avoid making payments via QR code.
The absolute safest thing a person could do would be never to interact with the site on the other side of a QR code scan. If the site prompts users to input data, make a payment, or download an app, it is best to navigate away.
But that is not sustainable. If paid parking only gives you the option to pay via QR code, for example, then it is up to the payee to check the legitimacy of the code itself as well as the platform to make the payment.
As with any novel technology, some people will be better than others at sniffing out a scam. That is why financial institutions cannot rely on consumer vigilance alone to stop QR code fraud. They need to protect dynamic and one-time QR code payments with things like 3DS or Strong Customer Authentication.
Financial institutions can then fortify that security with a platform like ARIC™ Risk Hub, which uses proprietary machine learning to learn about customer behaviors. Our models assess the behaviors that are normal and those that are out of character for individual customers. This layer of intelligence can help financial institutions interrupt fraud in real time.
In the meantime, you can read our full list of 2022 predictions here.