QR Codes and Fraud

Table of Contents

1. What Are QR Codes?
2. How Do QR Code Payments Work?
3. How Are QR Codes Used to Perpetrate Fraud?
4. What Happens When QR Code Payments Result in Chargebacks?
5. The Bottom Line on QR Code Payments
6. Can QR Codes Be Faked?

The use of QR codes in payments is on the rise, and many merchants are wondering if now is the right time to start using them. The technology has a number of advantages: it's contactless, quick, and often easier to implement than other high-tech payment methods that might require entirely new hardware.

However, every payment method comes with its own inherent risks, and QR codes are no exception. No merchant should accept a new form of payment without having a thorough understanding of the risks involved and how to mitigate them. What do merchants need to know about QR code payments and their vulnerability to fraud?

QR codes have been consistently popular in Japan, their country of origin, but to many in the United States, they mostly seemed like an early-2010s fad. Now, however, the camera apps on most smartphones support QR codes by default rather than requiring a separate app. In addition, the rise of peer-to-peer payment apps has created a significant new use case for these codes, allowing users to send a payment by scanning a code displayed on the recipient's app.

In addition, smartphones have become far more widespread than credit cards, especially in developing nations. In many places, scanning a QR code is now the default method of payment, not merely an alternative.

QR codes were invented in 1994 to track materials in automobile factories, but the dawn of the smartphone helped them take off in a big way for the average person. While they were prevalent for a time, they never quite found their essential purpose—not in the United States, anyway, where they typically served as shortcuts to load a URL or contact information on your phone. In China and Southeast Asia, however, they found widespread use as a means to facilitate digital payments.

The emergence of the coronavirus upended the ways we go out and shop, and contactless payments have been on everyone’s mind—in fact, more than a quarter of customers are now only comfortable shopping at stores that include a contactless payment option.

Mobile payment apps like Apple Pay were already there to meet that need, but most mobile wallets require special terminals that are capable of reading them. QR codes, however, only require that the customer has a smartphone with a camera. The catch is that the relative ease of producing and reading QR codes makes it cheap and easy for fraudsters to interfere.

Some codes contain URLs that launch on your browser once read. Others may load contact information into your phone’s address book. There is no universal standard for using QR codes for payments, but a number of payment platforms have their own methods.

A QR code may be generated dynamically at checkout, or a physical code at checkout can take customers to an online payment portal. QR codes can also be attached as stickers or printed onto the packaging of products. Depending on how the system is set up, customers can often scan the codes on items they wish to purchase to add them to an online shopping cart, and can pay whenever they've scanned everything they're buying.

For dynamically-generated QR codes, a code is generated that contains the payment amount and destination and is scanned using an appropriate app. After a prompt to confirm the payment details, the funds are transferred to the merchant's account.

Making payments this way is easy, convenient, and requires no physical contact with anything but your own device. However, the resurgence of QR code payments has led has attracted the attention of fraudsters, who are using phishing schemes and fake codes to steal money and personal data from unsuspecting consumers.

QR code fraud has been around for some time. Back when QR codes first started appearing on products, advertisements, posters, and other odd places, it was not uncommon for fraudsters to replace legitimate QR codes with their own codes, often simply by printing it on a sticker and placing it on top of the real one. Parking meters and ticket vending machines are common targets of this scheme.

When a customer would scan this fake code, they would be taken to a website that might load malware onto their device or try to trick them into entering credit card information or other sensitive personal data.

The advent of QR code payments has made it possible for fake codes to steal funds directly. While most QR code payment apps should prompt the customer to verify the payment details after scanning the code, it’s easy for busy shoppers to approve a fraudulent payment because they weren’t paying close attention.

In markets where QR code payments are commonplace, some inventive scams have emerged, such as printing fake parking tickets that allow you to pay your “fine” via QR code or offers to exchange QR codes payments for cash that overcharge the recipient by several orders of magnitude.

One of the problems with QR codes is that there's no way for customers to verify what information they actually contain without scanning them. A fake QR code isn't even technically fake, it's just a real QR code put somewhere it doesn't belong with the intention of tricking people out of their money or personal information. It can be hard to spot a QR code that's been replaced even if you know what you're looking for, and most customers won't know what they're looking for, or even that they should be looking at all.

Currently, there are no credit card issuers that offer integrated QR code payments, which means that the Fair Credit Billing Act does not apply to the QR code payment platforms that are widely used today.

If a customer claims that a PayPal QR code payment was somehow made without their authorization, they will be obligated to follow PayPal’s proprietary dispute rules.

Merchants like CVS and Walgreens, who offer QR code payments via their branded apps, are left to their own discretion to devise rules for handling disputes.

The more imminent danger for merchants who offer QR code payments is that fraud will undermine customer confidence in this payment method. Generating dynamic QR codes at checkout is the safest way to utilize this payment method, as then becomes prohibitively difficult for fraudsters to swap in fake codes for the customer to scan.

For merchants who want to use physical QR codes, they must be checked regularly for tampering. Even if the code is within sight of employees, applying a sticker with a fake QR code is something that can be done discreetly, and in less than a second. Fortunately, checking for tampering is as easy as making sure there's no sticker on top of the legitimate QR code.

Unfortunately, unless you go to extremes, any fake QR code applied could be scanned by one or more customers before your regular check spots the tampering. That's why it's much safer to generate digital QR codes when possible instead of using physical ones.

The Bottom Line on QR Code Payments

Contactless payments were a novelty just a few years ago, but circumstances have turned them into a necessity for many merchants. While it does make sense for many merchants to upgrade to NFC terminals that can accept mobile wallet payments, QR code payments offer a simple, low-overhead way to get in the contactless payment game.

For merchants, this method may be relatively secure, but incautious consumers may find themselves victimized by relatively unsophisticated scams. Merchants who accept QR code payments can promote greater safety and confidence in them by adhering to best practices and not placing QR codes where they can be easily replaced or manipulated by scammers.

FAQ

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com