QR code payments have finally caught on in the U.S. after lagging behind adoption in China and other Asian markets. Why the change? The need for contactless payments brought on by the pandemic sent retailers looking for inexpensive, quick-to-implement ways to let customers pay from a distance, and QR codes fit the bill. However, with every payment method that gains popularity, fraudsters follow. Here’s what retailers and consumers need to know about using QR code payment technology safely.
Why Are QR Codes Everywhere Now?
QR (Quick Response) codes are similar to barcodes in that they store information visually. However, they can store much more data, so they can be used for web links, document access, product identification, and payments.
Retailers that want to offer contactless point-of-sale payments without investing in NFC-enabled terminals can add software that generates a QR code for each purchase. Smaller retailers can do this with a payment service like Square or PayPal on a tablet. Some vendors that sell single items or services print out and display one QR code that customers can quickly scan. Large chains like Walmart have QR code displays built into their POS terminals. QR codes can also support loyalty programs, so customers can earn points and claim rewards without having to present a punch ticket or plastic rewards card.
By scanning a merchant’s QR code at checkout, a customer can quickly pay for their items through a digital wallet, without handling cash, touching the payment terminal, or even getting close enough to the terminal to tap or wave an NFC-enabled credit card or smartphone. That last element is important for safe distancing. With a good smartphone camera, a QR payment code can be scanned from a foot or more away from the source, unlike NFC contactless payments, which can only take place over a few inches. Another option, reportedly in development for drugstore chain CVS, is for cashiers to scan a QR code generated by the customer’s digital wallet.
How Are Scammers Exploiting QR Code Security Gaps?
In China, swapping static QR codes on parking tickets became such a popular fraud attack method in Shanghai that in 2019, local police had to change the way they ticketed vehicles. Some fraudsters target street market vendors who typically display a single QR code at their stall. By replacing the seller’s QR code with one that leads to the fraudster’s account, they can siphon off the merchant’s revenue. Still others go after static QR codes affixed to rental bikes and scooters.
Fraudsters can also use social engineering to convince people to scan QR codes that contain malware or steal their banking credentials. In 2019, Malwarebytes reported on the latter type of scam happening to people in the Netherlands. A stranger would approach the victim and ask to trade cash for a QR scan to help the stranger pay for a parking spot where the meter didn’t accept cash. Later, the victims discovered their bank accounts had been drained.
These scams don’t require in-person interaction. Fraudsters impersonating brands are using QR code promotions in email and on social media to lure victims to phishing websites, where they can capture login and payment credentials.
QR Codes Need Stronger Security for Payments
Every payment method has vulnerabilities that criminals will exploit if they can; the entire fields of fraud prevention and cybersecurity are essentially a race to stay a step ahead of criminals’ next scam tactics. However, QR codes weren’t designed with payment processing in mind. They were originally created to track parts in the auto-making process. The creator of QR codes, along with other security experts, says QR needs better security to reduce the risk of payment fraud. In the meantime, QR codes’ convenience and usefulness in contactless settings mean this method isn’t going away. Therefore, it’s up to merchants and customers to try to reduce their risk.
Steps Retailers Can Take to Protect QR Code Transactions
Because QR payments at the POS are actually e-commerce payments, it’s critical to have card-not-present fraud protection in place to authenticate customers and payment methods before approving transactions. If you’re a merchant using QR codes at checkout, you should also:
- Display QR codes on a tablet or other digital display if possible instead of on a static printout that could be swapped by a fraudster. If you must display a static code, check it regularly to ensure it’s still yours.
- Monitor your transaction reports to ensure that you’re receiving the payments that customers scan in.
- Monitor your social media mentions to spot possible impersonators.
- Install and maintain security software on all your devices that display or scan QR codes.
- Respond right away to any reports of QR problems from customers.
Steps Consumers Can Take to Avoid QR Code Fraud
Paying with a QR code is convenient and helps you keep a safe distance from others, but there are a few safety measures to keep in mind.
- Only scan QR codes from merchants you trust. Be especially cautious about QR codes purporting to be from brands on social media and in emails — double-check the source before you scan them.
- Scan checkout QR codes from a digital display instead of a static display whenever possible.
- Make a note of the URL that appears on your phone after you scan a QR code and before you proceed to the site.
- Set up transaction limit alerts with your bank or credit card provider so you’ll know right away if there’s a problem.
- Install trusted mobile security software on your phone to reduce the risk of malware via QR code.
Like many innovations, QR payments will almost certainly remain popular even after the immediate need for no-contact payments abates. That means more convenience and physical safety for shoppers and merchants, but it also requires everyone who uses QR codes to take security seriously to avoid getting scammed.
Rafael Lourenco is executive vice president and partner at ClearSale, a card-not-present fraud prevention operation that helps retailers increase sales and eliminate chargebacks before they happen.
Related story: Do We Have Enough Data Scientists to Protect Against E-Commerce Fraud?
Rafael Lourenco is Executive Vice President at ClearSale, a card-not-present fraud prevention operation that helps retailers increase sales and eliminate chargebacks before they happen. The company’s proprietary technology and in-house staff of seasoned analysts provide an end-to-end outsourced fraud detection solution for online retailers to achieve industry-high approval rates while virtually eliminating false positives. Follow on twitter at @ClearSaleUS or visit http://clear.sale/.