The Fraud Risks of Using QR Codes in Payments
Table of Contents
- What Are QR Codes?
- How Do QR Code Payments Work?
- How are QR Codes Used to Perpetrate Fraud?
- What Happens When QR Code Payments Result in Chargebacks?
- The Bottom Line on QR Code Payments
- Can QR Codes Be Faked?
To many American consumers, it may feel like QR codes had their moment a few years ago, but they never really went away—and with contactless payments becoming a big priority in light of the COVID-19 pandemic, they’re starting to make a comeback.
QR codes offer an easily accessible way to receive contact-free payments without investing in the near-field communications hardware required by many digital wallet platforms, but greater accessibility sometimes means a greater risk of fraud. How are fraudsters exploiting QR codes to steal money, payment card credentials, and sensitive personal data?
QR (Quick Response) codes were invented in 1994 to track materials in automobile factories, but the dawn of the smartphone helped them take off in a big way for the average person. While they were prevalent for a time, they never quite found their essential purpose—not in the United States, anyway, where they typically served as shortcuts to load a URL or contact information on your phone. In China and Southeast Asia, however, they found widespread use as a means to facilitate digital payments.
The emergence of the coronavirus upended the ways we go out and shop, and contactless payments have been on everyone’s mind—in fact, more than a quarter of consumers are now only comfortable shopping at stores that include a contactless payment option. Mobile payment apps like Apple Pay were already there to meet that need, but most mobile wallets require special terminals that are capable of reading them. QR codes, however, only require that the customer has a smartphone with a camera.
The catch is that the relative ease of producing and reading QR codes makes it cheap and easy for fraudsters to interfere.
How Do QR Code Payments Work?
QR codes work much like the barcodes that, for decades now, have been printed on nearly every consumer product package. Because QR codes are a grid rather than a single row of readable bars, they can contain more encoded data. Any device with a camera can capture an image of a QR code and decode the pattern of dots into meaningful data.
Some codes contain URLs that launch on your browser once read. Others may load contact information into your phone’s address book. There is no universal standard for using QR codes for payment, but platforms like PayPal as well as individual merchants have created payment systems that use QR codes to trigger payments. A QR code may be generated dynamically at checkout, or a physical code at checkout can take customers to an online payment portal. QR codes can also be attached as stickers or printed onto packaging of products. Depending on how the system is set up, customers can often scan the codes on items they wish to purchase to add them to an online shopping cart, and can pay whenever they've scanned everything they're buying.
For dynamically generated QR codes, a code is generated that contains the payment amount and destination, and scanned using an appropriate app. After a prompt to confirm the payment details, the funds are transferred to the merchant's account.
Making payments this way is easy, convenient, and requires no physical contact with anything but your own device. However, the resurgence of QR code payments has led has attracted the attention of fraudsters, who are using phishing schemes and fake codes to steal money and personal data from unsuspecting consumers.
How are QR Codes Used to Perpetrate Fraud?
QR code fraud has been around for some time. Back when QR codes first started appearing on products, advertisements, posters, and other odd places, it was not uncommon for fraudsters to replace legitimate QR codes with their own codes, often simply by printing it on a sticker and placing it on top of the real one. Parking meters and ticket vending machines are common targets of this scheme.
When a consumer would scan this fake code, they would be taken to a website that might load malware onto their device or try to trick them into entering credit card information or other sensitive personal data. The advent of QR code payments has made it possible for fake codes to steal funds directly. While most QR code payment apps should prompt the consumer to verify the payment details after scanning the code, it’s easy for busy shoppers to approve a fraudulent payment because they weren’t paying close attention.
In markets where QR code payments are commonplace, some inventive scams have emerged, such as printing fake parking tickets that allow you to pay your “fine” via QR code, or offers to exchange QR codes payments for cash that overcharge the recipient by several orders of magnitude.
One of the problems with QR codes is that there's no way for customers to verify what information they actually contain without scanning them. A fake QR code isn't even technically fake, it's just a real QR code put somewhere it doesn't belong with the intention of tricking people out of their money or personal information. It can be hard to spot a QR code that's been replaced even if you know what you're looking for, and most customers won't know what they're looking for, or even that they should be looking at all.
What Happens When QR Code Payments Result in Chargebacks?
Most forms of QR code fraud circumvent the merchant. If a merchant allows QR code scanning for payment and a fraudster tricks a consumer into scanning a fake code instead, the dispute is between the consumer and the fraudster, because no payment was received by the merchant.
Currently, there are no credit card issuers that offer integrated QR code payments, which means that the Fair Credit Billing Act does not apply to the QR code payment platforms that are widely used today.
If a customer claims that a PayPal QR code payment was somehow made without their authorization, they will be obligated to follow PayPal’s proprietary dispute rules.
Merchants like CVS and Walgreens, who offer QR code payments via their branded apps, are left to their own discretion to devise rules for handling disputes.
The more imminent danger for merchants who offer QR code payments is that fraud will undermine consumer confidence in this payment method. Generating dynamic QR codes at checkout is the safest way to utilize this payment method, as then becomes prohibitively difficult for fraudsters to swap in fake codes for the customer to scan.
For merchants who want to use physical QR codes, they must be checked regularly for tampering. Even if the code is within sight of employees, applying a sticker with a fake QR code is something that can be done discreetly, and in less than a second. Fortunately, checking for tampering is as easy as making sure there's no sticker on top of the legitimate QR code. Unfortunately, unless you go to extremes, any fake QR code applied could be scanned by one or more customers before your regular check spots the tampering. That's why it's much safer to generate digital QR codes when possible instead of using physical ones.
The Bottom Line on QR Code Payments
Contactless payments were a novelty just a few years ago, but circumstances have turned them into a necessity for many merchants. While it does make sense for many merchants to upgrade to NFC terminals that can accept mobile wallet payments, QR code payments offer a simple, low-overhead way to get in the contactless payment game. For merchants, this method may be relatively secure, but incautious consumers may find themselves victimized by relatively unsophisticated scams.
Merchants who accept QR code payments can promote greater safety and confidence in them by adhering to best practices and not placing QR codes where they can be easily replaced or manipulated by scammers.
Can QR Codes Be Faked?