Understanding QR Code Fraud

Consumers should be wary of any QR code provided by an unknown source; such codes should be treated like unknown hyperlinks.

In February, many viewers of the 2022 Super Bowl noticed an unusual commercial for Coinbase, an American cryptocurrency company. For most of the 60-second ad, a QR code floated slowly across a black background, bouncing from one corner of the TV screen to another. Designed to look like an old screensaver, the ad contained music but no dialogue. The identity of the advertiser was not revealed until the final seconds of the commercial. Viewers who pointed their smartphones at their screens and scanned the QR code were taken to a promotion on the Coinbase website.

As a result of the commercial, Coinbase’s website received more than 20 million hits in one minute and the company’s app crashed. The ad also sparked conversation on social media and in the press, with many praising the ad’s creativity and effectiveness. Among fraud and cybersecurity experts, however, there was a decidedly different reaction. For them, the ad revealed that millions of consumers were willing to scan a QR code from an unknown source, which raised concerns about QR code fraud.

QR Codes Explained
A quick response (QR) code is a square barcode that can be read by certain devices, such as smartphone cameras. Most QR codes look like black squares arranged in a square grid on a white background. Typically, QR codes are used like hyperlinks to provide quick access to websites. For example, when viewers of the Coinbase Super Bowl ad scanned the QR code on their TVs, their smartphone browsers opened the Coinbase website. 

Promotional QR codes are everywhere — online, in papers and magazines, on billboards and posted on telephone poles. Scanning these physical or digital QR codes will generally take consumers to the advertiser’s website. However, not all QR codes are used for promotion. During the COVID-19 pandemic, for example, restaurants began using QR codes to direct customers to an online version of their menus. 
It is becoming more common for businesses to email QR codes to their customers. Amazon uses emailed QR codes to facilitate returns and exchanges. Consumers can also use emailed QR codes to confirm reservations at restaurants, hotels, as concert tickets or to get boarding passes at airports. 

Some businesses use QR codes to facilitate payments. These companies might provide customers with a QR code that directs them to a webpage where they can complete a payment transaction. Both Paypal and Venmo allow users to scan QR codes as part of the payment process.

QR Code Fraud
The most common type of QR code fraud operates like a phishing scheme. Fraudsters create a fraudulent QR code, or manipulate a legitimate QR code, to direct consumers to a malicious website that will steal their money or information. These fraudulent QR codes might be encountered online, in emails, text messages or anywhere in the physical world. 

Earlier this year, scammers placed fraudulent QR code stickers on more than two dozen parking meters in Austin, Texas. Drivers who tried to use the QR code to pay the parking meter were directed to a website operated by an unknown party — in fact, parking meters cannot be paid via QR code in Austin. In other schemes, fraudsters have covered legitimate QR codes with fraudulent QR code stickers.

In the digital space, QR code fraud often begins with an email, text message or social media post that uses social engineering techniques to convince the user to scan the code. The message may claim to be from a trusted company or financial institution. Users who scan the code are directed to a malicious website that looks legitimate but is designed to steal their money or information.

In another type of scheme, fraudsters use QR codes to expose the user’s device to malware. The QR code might direct the user to a malicious website that downloads the malware onto their device, or the malware might be embedded in the QR code itself. Once the malware has infected the device, fraudsters can steal the user’s information.

Best Practices for Avoiding QR Code Fraud
Like traditional phishing schemes, QR code fraud relies on the misplaced trust of consumers. Therefore, the best protection is healthy skepticism of QR codes. Consumers should be wary of any QR code provided by an unknown source; such codes should be treated like unknown hyperlinks. In other words, do not scan the code if you are uncertain of its source.

There are many other things consumers can do to avoid QR code fraud. The FBI issued a public service announcement in January warning consumers about QR code fraud. The announcement contained the following tips:

• Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
• Practice caution when entering login, personal or financial information from a site navigated to from a QR code.
• If scanning a physical QR code, ensure that the code has not been tampered with, such as with a sticker placed on top of the original code.
• Do not download an app from a QR code. Use your smartphone's app store for a safer download.
• If you receive an email from a company stating that a recent payment failed and you can only complete the payment through a QR code, call the company to verify.
• Locate the company's phone number through a trusted site rather than a number provided in the email.
• Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
• If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
• Avoid making payments through a website navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.

According to Coinbase, its floating QR code Super Bowl commercial was an unqualified success. The ad drove millions of consumers to the company’s website and increased brand awareness. It also illustrated that consumers are probably too willing to scan QR codes provided by unknown sources. Hopefully, the conversation surrounding the ad raised awareness of QR code fraud and created some healthy skepticism.