QR code fraud is scams fraudsters run with via the little two-dimensional square-speckled boxes called QR Codes (Quick Response Codes). They have grown from use specific to the automotive industry to all sorts of applications.
The onset of the pandemic and lockdowns have led to a more contactless world. We have all experienced the shift to online purchases, cashless payments and physical distancing wherever and whenever necessary.
That has led to an evolution of and increased emphasis on digital frauds, including QR code fraud, for both bad actors and our teams.
Why QR code fraud is a problem hidden in plain sight
QR codes have been around for years, but with global societal no-touch policies, their use has increased. We’re mostly familiar with their use to advertise everything to the masses and confirm different Covid-related details. They are on business cards, posters, menus, buildings and carried with many of us as proof of vaccination.
These simple little matrices have so much potential for good and harm. Of course, our industry is concerned with the latter and it has been seen to be rising due to the altered state of the world. Their recent commonality has led to a general level of trust amongst the global population. People see them everywhere and used by everyone, so they simply trust them to be safe.
However, both the Better Business Bureau and FBI have released alerts regarding the dangers of QR code fraud and ease of their use for nefarious purposes.
The use of mobile devices to decipher and use these links plays into the effectiveness of the schemes that abuse them. Actions through a phone are believed to be safer, when they really are not, and users push things through, wanting them to be fast. Being on a mobile device can often mean the user is out in public or distracted, just wanting the desired outcome to happen. There is little to no scrutiny.
Outside of the lack of caution when it comes to QR Code use, depending on how you are accessing it, there is very little information available to determine if the link is malicious or not. Many scanning applications automatically access the path presented by the code without displaying it to be reviewed before accessing it. Some schemes involving these efforts do not even need to access a URL but perform a function right through the device when scanned.
QR code fraud scams
There are several ways that a fraudster can commit QR code fraud.
They could simply create their own QR Code from any free generator on the Internet and add it to any form of false advert or marketing scheme to trick people into scanning them. These mostly advertise offers that are too good to be true, like high value merchandise looking to be from genuine vendors but priced extremely low, usually with a short window of opportunity available to purchase, but people believe them. They can be online, on flyers, stickers stuck to anything and more. QR Codes have even been seen to just be randomly placed on things with no details and people still scan them.
Fraudsters will also try to manipulate existing QR Codes to link to what they want. They will stick their QR Codes overtop legitimate ones, hoping that someone will scan and access them, thinking that it is from the real offering or information provider. This is called “attagging,” a combination of “attack” and “tagging.”
QR Codes are used to access anything that has an online path or programmable push. They can direct the scanner to malicious websites, apps and payment screens. They can automate actions from your device like installing malware, sending emails and adding contacts. There have been reported instances of QR code fraud where the access of a QR code relinquished complete control of the users’ devices to the fraudster.
Fraudsters are making use of this technique because it is very easy to set up and use with the potential of a high payoff. It has been proving to be very effective and could be one of the reasons for the global increase of account takeovers.
Most of the links are similar to those we see in common phishing scams. The sites are set up to look legitimate and request the user to login and/or enter personal details. Some will link directly from the advert to a payment page that prompts the victim to enter their card details and information to complete the fake purchase. Others may ask the user to download malware masked as an app. There are so many possibilities. We have made it too easy.
How do we protect everyone from QR code fraud? Well, we can’t. We can educate, but users must be cautious on their own.
How to avoid QR code fraud
The FBI has released this list of tips to avoid falling victim to QR code fraud:
- Double-check the URL of any site pulled up with a QR code to make sure it’s legitimate: “A malicious domain name may be similar to the intended URL but with typos or a misplaced letter,” the FBI added.
- Before engaging with a QR code, check to make sure the code itself hasn’t been tampered with. The FBI suggests looking for evidence a sticker has been slapped over the original code.
- The alert also cautions users against downloading an app from a QR code rather than the application store, which has more security protections.
- Do not download a QR code scanner app: The FBI said, “this increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.”
- Don’t make payments to a site accessed by a QR code, if possible.
- If you receive a QR code that you believe to be from someone you know, reach out to the person through a known number or address to verify that the code is truly from them.
So, when you see that nifty little poster with the QR code on it, be sure to check whether or not you completely trust it before accessing.
This article was contributed by Shawn Colpitts, Senior Fraud Investigator at Just Eat Takeaway.com