What You Need to Know About QR Code Fraud


QR code fraud is a major problem worldwide, especially as the black-and-white squares have grown in popularity and are now commonly found in restaurants, on product packaging and in other retail settings. As adoption — and trust — in QR codes increases, so do the attempts of criminals to use them maliciously.

 

What Are QR Codes?

A QR (quick-response) code is a type of two-dimensional barcode that was invented in 1994 by a Japanese company to track vehicles during the manufacturing process. These codes are readable by an optical scanner or a camera that's equipped with software to decipher them.

QR codes are used for tasks such as:

  • Opening website URLs.
  • Tracking products in factories and warehouses.
  • Sharing personal information.

While QR codes first began in industrial settings, the age of the smartphone soon meant that they started showing up in advertisements. Phone cameras allowed people to scan them to learn more about products or services.

However, QR codes reached a new level of prominence during the COVID-19 pandemic. During the viral outbreak, companies needed a touchless way to provide information — such as restaurant menus — to customers. Suddenly, QR codes became part of everyday life.

Besides convenience, the QR code revival had another facet: They became a tempting tool for criminals to use to take advantage of unsuspecting victims.

In the U.S., fraudsters place QR codes inconspicuously, intending to steal innocent users' information and financial resources. While most QR codes are safe to use, it's important to be aware of the risks of fraudulent QR codes and the steps you can take to avoid them.

To help you stay one step ahead of online criminals, Patrick Smith, who heads a group combatting fraud for City National Bank, offered critical tips that all consumers and business owners should know. Keep reading to learn more.

 

What is QR code fraud?

Imagine going to a fast-food restaurant and scanning a sticker with a QR code on the table to view the menu and order your meal. A website opens with a restaurant menu and payment system for an all-in-one ordering experience.

But what you do not realize is that the QR code is malicious, placed there by a cyber-criminal. The phony QR code might redirect your payment through a convincing third-party website, allowing hackers to capture your credit or debit card information and use it to make fraudulent purchases.

While this may sound like a scene out of a movie, it's not. In Austin, Texas recently, criminals placed fraudulent QR codes on public parking payment stations. Local government agencies quickly warned the public and inspected their 900 parking meters. But by the time they found out what had happened, the damage had already been done.

 

Spotting & Avoiding Bad QR Codes

While QR codes are incredibly convenient and easy to use, one difficulty they pose is that it's nearly impossible to tell where they lead without scanning them. That opens users up to some immediate risk.

"QR codes are the current version of phishing emails. Like the phishing emails, the QR code can appear legitimate," said Smith. "These codes appear in our coffee shops, television shows, social media feeds, emails and other areas. The common availability of these codes makes fraudulent ones difficult to spot."

In order to avoid getting scammed, he recommends looking for misspelled words around QR codes, bad grammar, poor features or a design that doesn't exactly match the website of the company it's purporting to represent.

Additionally, examine the web address of any QR code you're thinking of scanning. Many smartphones offer a preview of the link associated with a QR code before it opens. If that link doesn't look official or is suspicious in any way, don't tap it. For example, a real link should always start with "https://" instead of "http://" and should be free of spelling errors.

If you do open a QR code that you think might be malicious, avoid entering any personal information on the page and do not open any files that might have started downloading automatically when you arrived at the page.

If you're at a business and are uncertain if a QR code is real, ask an employee to verify it. However, it's still smart to exercise caution even if a business confirms that it uses QR codes — some fraudsters produce stickers that seamlessly cover legitimate codes.

Smith warned that "if the code is in an odd space, such as a random sticker on the wall, consider that it may be a fraud attempt."

 

What can happen if you fall victim to a QR code scam

In an ideal world, smartphone users would be savvy enough to avoid QR code scams and fraud. However, in reality, even the most diligent web users could end up at a bad website due to a malicious QR code. If that happens, and you find yourself the victim of financial fraud, you should take quick action to protect yourself.

"Review all of your accounts and discuss the risk that your accounts have been compromised with your bank or banks to establish additional controls. The bank can offer protections for these events, including items such as passcodes, new account numbers, new cards and the like," Smith said.

City National clients can easily reach the bank's fraud department to discuss any suspected financial fraud or report that their information has been stolen. Once notified, the City National team can take appropriate action to address the compromise.

He added that City National uses a layered security approach for any interaction.

"This includes systems that automatically review the authenticity of account access from any number of channels. This review allows us to identify high-risk attempts that require the bank to prevent access to even initiate these transfers," Smith said.

Also, remember to change any affected passwords after a breach. If other personal information was compromised, consider placing a freeze on your credit report with the three major credit bureaus, Experian, Equifax and TransUnion, to prevent new credit accounts from being opened in your name.

 

Other Ways To Protect Yourself From QR Code Fraud

Don't wait around for fraud to happen. Consider these tips to prevent falling victim to QR code fraud and other digital scams before they happen:

  • Stay apprised of the latest scams: Reading articles like this, listening to cybersecurity podcasts and following consumer alerts from government agencies can keep you aware of which scams are prevalent so you can stay vigilant against common traps.
  • Use unique passwords: Never use the same password on multiple websites, particularly financial sites and apps. Using a secure password manager can help you easily keep track of all of those passwords within a secure system.
  • Follow online security best practices: If a QR code looks tampered with, don't scan it. If you're using public internet networks, consider using a virtual private network (VPN) to encrypt your connection. And never give your information anywhere unless you're absolutely sure that the website is genuine.

"While it may seem restrictive, only interact with a QR code from a trusted source," Smith suggested. If a QR code leads you to a website that asks for sensitive information, it's best to avoid entering that information.

While financial institutions have safeguards in place, Smith added that it takes teamwork with your bank to keep your account safe. When you follow expert online security suggestions, you're in the best position to avoid QR code fraud and other scams for years to come.





This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.