With the Covid-19 pandemic helping fuel broad adoption of Quick Response codes by merchants for payments and ordering, it was only a matter of time before criminals exploited the contactless technology. Fraudsters are creating fake QR codes that, when scanned, take consumers to a bogus landing page that collects payment and personal information. The fake codes are being placed over legitimate codes in locations where consumers would scan them to initiate a payment, such as at a restaurant or on parking meters.
The problem has become so acute the FBI issued an alert earlier this month warning consumers to be on the lookout for malicious QR codes.
“While QR codes themselves are not malicious, the ease with which criminals can create their own fake codes is a growing concern, so much so that the FBI is now warning that this is the latest way cybercriminals are trying to steal information,” Mark Walz, chief technology officer for SpotOn Transact LLC, a San Francisco-based provider of payment-processing technology and business software.
Following the FBI’s alert, Chicago Parking Meters LLC, developer of the ParkChicago parking app, issued a warning to its customers to be aware of fake QR codes. The notice pointed out that the ParkChicago app and on-street payboxes do not use QR codes to initiate a payment, WLS-TV ABC 7 Chicago, the local ABC television affiliate reported Wednesday.
In addition to its warning that criminals are using fake QR codes to gather consumers’ account and personal information, the FBI notice spotlighted a second QR code scam in which criminals download malware to a consumer’s smart phone when a fake QR code is scanned. The malware can be used to gather personal and financial data from a consumer’s phone.
To protect consumers from malicious QR codes, SpotOn recommends merchants audit all their existing codes to make sure they have not been tampered with. Ways in which criminals can tamper with a QR code include overlaying a legitimate QR code with a sticker depicting a fake code and altering the legitimate code to redirect consumers to Web sites they control.
SpotOn also recommends merchants test every QR code displayed in their place of business and store any QR codes from outdoor patios inside after business hours to prevent tampering.
Restaurants are also being urged to add their name or logo to QR codes to maintain customer confidence in the code
Finally, merchants should train staff to spot fake QR codes and educate consumers about the measures they’ve taken to ensure their codes haven’t been tampered with, should consumers express hesitancy about scanning the code.
“It can be hard for customers to distinguish between a fake QR code and a real one,” Walz says. “At SpotOn, we are advising our clients to take [our recommended] steps to protect their guests.”