Chargeback Prevention

The Fraud Risks of Using QR Codes in Payments

QR code payments

Table of Contents

  1. What Are QR Codes?
  2. How Do QR Code Payments Work?
  3. How Are QR Codes Used to Perpetrate Fraud?
  4. What Happens When QR Code Payments Result in Chargebacks?
  5. The Bottom Line on QR Code Payments
  6. Can QR Codes Be Faked?

The use of QR codes in payments is on the rise, and many merchants are wondering if now is the right time to start using them. The technology has a number of advantages: it's contactless, quick, and often easier to implement than other high-tech payment methods that might require entirely new hardware.

However, every payment method comes with its own inherent risks, and QR codes are no exception. No merchant should accept a new form of payment without having a thorough understanding of the risks involved and how to mitigate them. What do merchants need to know about QR code payments and their vulnerability to fraud?

New call-to-action

QR codes have been consistently popular in Japan, their country of origin, but to many in the United States, they mostly seemed like an early-2010s fad. Now, however, the camera apps on most smartphones support QR codes by default rather than requiring a separate app. In addition, the rise of peer-to-peer payment apps has created a significant new use case for these codes, allowing users to send a payment by scanning a code displayed on the recipient's app.

In addition, smartphones have become far more widespread than credit cards, especially in developing nations. In many places, scanning a QR code is now the default method of payment, not merely an alternative.

What Are QR Codes?

QR (Quick Response)codes are essentially bar codes that take the shape of a square. The use of two dimensions instead of one allows them to contain much more information.

QR codes were invented in 1994 to track materials in automobile factories, but the dawn of the smartphone helped them take off in a big way for the average person. While they were prevalent for a time, they never quite found their essential purpose—not in the United States, anyway, where they typically served as shortcuts to load a URL or contact information on your phone. In China and Southeast Asia, however, they found widespread use as a means to facilitate digital payments.

The emergence of the coronavirus upended the ways we go out and shop, and contactless payments have been on everyone’s mind—in fact, more than a quarter of customers are now only comfortable shopping at stores that include a contactless payment option.

Mobile payment apps like Apple Pay were already there to meet that need, but most mobile wallets require special terminals that are capable of reading them. QR codes, however, only require that the customer has a smartphone with a camera. The catch is that the relative ease of producing and reading QR codes makes it cheap and easy for fraudsters to interfere.

How Do QR Code Payments Work?

QR codes work by encoding information into a black and white pattern that can be easily read by any device with a camera and compatible software. Payment apps can encode information like the amount of a transaction and its intended recipient.

Some codes contain URLs that launch on your browser once read. Others may load contact information into your phone’s address book. There is no universal standard for using QR codes for payments, but a number of payment platforms have their own methods.

A QR code may be generated dynamically at checkout, or a physical code at checkout can take customers to an online payment portal. QR codes can also be attached as stickers or printed onto the packaging of products. Depending on how the system is set up, customers can often scan the codes on items they wish to purchase to add them to an online shopping cart, and can pay whenever they've scanned everything they're buying.

For dynamically-generated QR codes, a code is generated that contains the payment amount and destination and is scanned using an appropriate app. After a prompt to confirm the payment details, the funds are transferred to the merchant's account.

Making payments this way is easy, convenient, and requires no physical contact with anything but your own device. However, the resurgence of QR code payments has led has attracted the attention of fraudsters, who are using phishing schemes and fake codes to steal money and personal data from unsuspecting consumers.

How Are QR Codes Used to Perpetrate Fraud?

The main way QR codes are used to commit fraud is by replacing or covering static QR codes with new codes set up by the fraudster. This new code can route a payment to a different destination or lead the customer to a fake website.

QR code fraud has been around for some time. Back when QR codes first started appearing on products, advertisements, posters, and other odd places, it was not uncommon for fraudsters to replace legitimate QR codes with their own codes, often simply by printing it on a sticker and placing it on top of the real one. Parking meters and ticket vending machines are common targets of this scheme.

When a customer would scan this fake code, they would be taken to a website that might load malware onto their device or try to trick them into entering credit card information or other sensitive personal data.

Download the eGuide, 4 Reasons to Hire a Chargeback Management CompanyThe advent of QR code payments has made it possible for fake codes to steal funds directly. While most QR code payment apps should prompt the customer to verify the payment details after scanning the code, it’s easy for busy shoppers to approve a fraudulent payment because they weren’t paying close attention.

In markets where QR code payments are commonplace, some inventive scams have emerged, such as printing fake parking tickets that allow you to pay your “fine” via QR code or offers to exchange QR codes payments for cash that overcharge the recipient by several orders of magnitude.

One of the problems with QR codes is that there's no way for customers to verify what information they actually contain without scanning them. A fake QR code isn't even technically fake, it's just a real QR code put somewhere it doesn't belong with the intention of tricking people out of their money or personal information. It can be hard to spot a QR code that's been replaced even if you know what you're looking for, and most customers won't know what they're looking for, or even that they should be looking at all.

What Happens When QR Code Payments Result in Chargebacks?

Most forms of QR code fraud circumvent the merchant. If a merchant allows QR code scanning for payment and a fraudster tricks a customer into scanning a fake code instead, the dispute is between the customer and the fraudster.

Currently, there are no credit card issuers that offer integrated QR code payments, which means that the Fair Credit Billing Act does not apply to the QR code payment platforms that are widely used today.

If a customer claims that a PayPal QR code payment was somehow made without their authorization, they will be obligated to follow PayPal’s proprietary dispute rules.

Merchants like CVS and Walgreens, who offer QR code payments via their branded apps, are left to their own discretion to devise rules for handling disputes.

The more imminent danger for merchants who offer QR code payments is that fraud will undermine customer confidence in this payment method. Generating dynamic QR codes at checkout is the safest way to utilize this payment method, as then becomes prohibitively difficult for fraudsters to swap in fake codes for the customer to scan.

For merchants who want to use physical QR codes, they must be checked regularly for tampering. Even if the code is within sight of employees, applying a sticker with a fake QR code is something that can be done discreetly, and in less than a second. Fortunately, checking for tampering is as easy as making sure there's no sticker on top of the legitimate QR code.

Unfortunately, unless you go to extremes, any fake QR code applied could be scanned by one or more customers before your regular check spots the tampering. That's why it's much safer to generate digital QR codes when possible instead of using physical ones.

The Bottom Line on QR Code Payments

Contactless payments were a novelty just a few years ago, but circumstances have turned them into a necessity for many merchants. While it does make sense for many merchants to upgrade to NFC terminals that can accept mobile wallet payments, QR code payments offer a simple, low-overhead way to get in the contactless payment game.

For merchants, this method may be relatively secure, but incautious consumers may find themselves victimized by relatively unsophisticated scams. Merchants who accept QR code payments can promote greater safety and confidence in them by adhering to best practices and not placing QR codes where they can be easily replaced or manipulated by scammers.

FAQ

Can QR Codes Be Faked?

Yes. A QR code can be generated for any web address, so scammers can print one linking to a website designed to steal payment information and paste it over an existing code at a business. Businesses using QR codes should check them regularly for tampering.


Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com

Get the guide, Chargebacks 101: Understanding Chargebacks & Their Root Causes