These days, QR Codes are the latest breakthrough in payment technology. They’re on subways, table tops, grocery stores, restaurants, direct mail, and even Super Bowl advertisements. While QR Codes were initially used in the supply chain and automotive industry, they’re now widely used for marketing and payments across various businesses.
Naturally, QR Code payments have become a popular mode of payment among clients. Over 4% of consumer transactions worldwide are using this payment option. And by 2030, this number is expected to grow at a CAGR of 16.1%. This is because QR Code payments make transactions faster, safer, and more accessible for customers.
As a client, you can partner with a QR Code payment provider or develop your own system for generating codes.
However, like any payment method, QR Codes come with inherent risks, including fraud. It’s why you need to completely understand these risks and know how to mitigate them before accepting this form of payment.
Let’s first understand the workings of a QR Code.
QR Code Payments: How do they work?
QR Codes encode information that your mobile device camera and or any other compatible software can read. Payment apps can encode transaction details and recipient information. There is no set standard while using QR Codes for payments, but several payment platforms have their own methods.
How do you create a QR Code for payment transactions? QR Codes can be created using a QR Code generator at checkout, or a physical QR Code can take customers to an online payment gateway. You can also use QR Codes as labels or printed onto product packaging. Making payments this way is easy and convenient, but fraudsters may use phishing schemes and fake codes to steal money and personal data.
Some vulnerabilities of QR Code payments are related to how the payment solution is presented, whether in a business-presented mode or a customer-presented mode. So, let’s understand the risks and ways to mitigate them from both the customer and business perspective.
How Can Cyber Criminals Attack QR Codes?
Cyber criminals are an arm’s length away as they are constantly looking for loopholes to scam people. Here’s how they might try to trick us into a QR Code scam:
Stealing Your Identity
QR Codes can be a gateway for attackers to steal your Personally Identifiable Information (PII). This information, like passport numbers, contact details, or even one-time passwords, is valuable for criminal activities.
Cyber criminals create fake QR Codes that install malware when scanned. This malware then steals your PII from your device. They can then use your stolen PII for money, online shopping, or other malicious activities.
Real-life cases exist, such as the Australian incident where hackers exploited identities for money. According to the ACCC, over 28 QR Code scams resulted in over AU$100,000 in damages.
Here’s what you can do:
You can protect yourself by avoiding scanning QR Codes from unknown sources and thinking before you share your personal information online.
Illegit Payment Links
Cyber criminals can redirect payments by replacing genuine QR Codes with fraudulent ones at bus stops, grocery shops, mobile recharge shops, or other areas where consumers scan the code and pay.
They can also send phishing emails to people using online shopping websites.
Here’s what you can do:
Beware of tampered QR Codes, and carefully look at the preview link (URL) before clicking. Looking for spelling errors or possible alterations in the domain can help identify a cloned URL.
Source: Malwarebytes
You can also add an extra protective layer, email authentication protocols such as DMARC, DKIM, BIMI, and SPF records can help prevent phishing attacks and keep your domain reputation untouched.
Location Tracking
One primary concern is the potential for cyber criminals to track your real-time location. They create unreal QR Codes that resemble legit ones. When scanned, these QR Codes can install malware on your device. This malware can then access and transmit sensitive data, including your mobile number, current location, contact list, and even personal data.
The worst part is that you might be oblivious that hackers are tracking your location.
Source: Cisco
Here’s what you can do:
While hackers may try to track your location and exploit your data for their benefit, you can stay one step ahead by taking the proper precautions. You can protect yourself from these cyberattacks by keeping your mobile device software up to date and being cautious about the QR Codes you scan.
Protect Yourself From QR Code Scams
QR Codes are the credit cards of this new contactless payment era, and while cyber criminals can tamper with them, there are ways to stay safe. Now, we know that they can access personal and confidential information, which can be exploited further. However, with the necessary precautions, you can protect yourself by following these steps:
-
Scan Only From a Trusted Resource
Scanning random QR Codes is dangerous. You should stick to codes from reputable sources like established businesses with a good online presence. This reduces the risk of malicious or phishing attacks disguised as legitimate QR Codes.
For example, imagine you are at a restaurant. Instead of scanning a random QR Code stuck to the menu, look for the restaurant’s website or social media pages to see if they have an official QR Code for the menu there.
-
Use a Trusted QR Code Scanner That Displays the Link First
Many people mindlessly click the link after scanning a QR Code, which can be risky. Use a scanner that shows the destination URL before opening it.
For example, instead of using your phone’s camera app (which might not show the link), download a trusted QR Code scanner app with good reviews. A good example of this is Google lens. These apps typically display the URL so you can inspect it before visiting the website.
-
Pay Attention to Details
Be vigilant when making payments or transactions through QR Codes.
Imagine you’re at a gas station. Notice if the QR Code on the pump dispenser looks tampered with, like crooked or peeling edges. It could be a fake code placed over the real one by a cybercriminal trying to steal your payment. If something seems off, opt for a different pump or use a credit card instead.
-
Update Your Device’s Security and Overall Defense System
Keep your phone’s security software up-to-date to prevent vulnerabilities that hackers could exploit.
Securing QR Code Payments for Businesses
QR Codes offer a quick, touch-free way to pay, but security shouldn’t be an afterthought.
Here’s how businesses can keep their customers safe:
Use a Reputed QR Code Generator
While there are a plethora of QR Code generators out there, choosing a secure and safe QR Code generator with SSO login and other security features such as MFA, and brand customization options, will keep cybercriminals at bay.
Double Up on Security
Passwords alone are easy to steal. Make customers verify their identity with a code sent to their phone after logging in through Multi Factor Authentication (MFA). This extra step makes hackers’ lives much harder.
Digital Bodyguards
Mobile Threat Defense (MTD) systems are like security guards for phones. They block harmful downloads, fake websites trying to steal information, and suspicious login attempts.
Security Checks on the Fly
Some systems use fancy tricks to keep you safe. They consider your location, the device you’re using, and how much you’re paying. The system will ask for extra verification to stop fraud if something seems fishy.
Strong Passwords are Key
Businesses should require customers to generate complex, unique passwords and change them often. Password managers can help people create and remember strong passwords.
The Bottom Line
Digital and contactless payments such as QR Code payments are here to stay. Watch out for scams, and think about what QR Codes you scan. Security is a team effort between businesses and customers. By following the above tips, businesses can minimize cyber risks and make QR Code payments safe and reliable for everyone.