5 ways ISVs can help protect merchants against QR code scams

Quick Response (QR) codes are on the rise. 
Also on the rise? QR code fraud.  
While QR codes might seem like they popped up overnight, they’ve actually been around since 1994. So why the sudden growth? One major factor is the pandemic. 
With the increased demand for touch-free transactions, social distancing, and safe check-out experiences brought on by the coronavirus, QR code tech has resurged in popularity amongst restaurants, retail stores, and other businesses. 
According to the Global Payments 2022 Commerce and Payment Trends Report, 60% of merchants plan to take QR code payments this year alone. And by 2025, QR code payment users are expected to exceed 2.2 billion, equating to 29% of all mobile phone users globally. 
But merchants and customers aren’t the only ones who have their eyes on QR codes. Earlier this year, the FBI issued an alert, warning of a significant spike in QR code cybercriminal activity.
With QR code use steadily climbing, ignoring the threat that comes with it is no longer an option. To ensure merchants are protected, independent software vendors (ISVs) providing QR code functionality within their software solutions should make it a priority to educate merchants on how to prevent QR code scams. 

First things first. QR codes: Why are they so popular? 

QR codes offer a wide range of uses from social media, to personalized in-store shopping, contactless restaurant menus, product packaging, coupons, gift cards, loyalty cards, and more. 
One of the areas where QR codes shine most is payments. 
With the ability to scan from both paper and screen via a smartphone camera, all customers need to do to check out is pull out their phone, scan the code, and pay online. This keeps the payment process on their personal mobile device, and in their own hands, the whole time.
Sounds great, right? Well, it’s not all black and white. The reality is, where there’s an advancement in payment technology, there’s also a shiny, new target for fraudsters. 

QR code payments fraud: How does it work?

Scammers are exploiting this technology in two major ways: 
1. Overlaying a legitimate QR code with a fake code that sends consumers to a malicious site the scammer controls, inviting consumers to input their payment information.
2. Using altered codes to download malware onto the consumer’s smartphone when they scan the fake QR code, gaining access to the victim’s device, bank accounts, and more.
The goal of these scams? To steal personal data and financial information from the consumer.
Don’t hit the panic button yet. There’s good news: ISVs can take plenty of steps to help their merchants stop QR code fraud in its tracks. 

5 defenses against QR code fraud

1. Create unique QR codes with customized branding.

With free QR code generator sites, creating codes is easier than ever — for merchants and hackers. One of the best ways to make QR codes more difficult for fraudsters to replicate is to incorporate unique branding.

To increase security, it’s best to stay away from premade elements offered in the QR code generator’s gallery. Instead, merchants should place a specialized, high resolution illustration or icon like a proprietary logo with the business name or mascot in the center of the code. Merchants can even customize the design of the data pattern and reshape the edges of the code itself to further distinguish it from generic ones.

Another way to customize? Move beyond black and white! Merchants can play with the color palette and colorize the code with their business’ signature brand colors. Merchants can also add distinctive frames around the QR code, displaying colorful borders and a clear call to action. The background of a code can be altered as well with an image, shape, or solid color. 

The less generic a code looks, the more difficult it will be to replicate. But be careful not to over-customize and compromise readability!

2. Audit current QR codes.

The next step is for merchants to audit all their existing QR codes for signs of tampering. This can include overlaying a physical QR code with a sticker of a fraudulent QR code or altering a legitimate code to redirect customers to a website the hackers control.
A thorough audit should cover not only checking for signs of physical misuse, but testing out the URL and online form of every QR code displayed in the business. 
When conducting an audit, using a QR code verifier can be a big help. Several antivirus companies have created QR code fraud-detection apps in answer to the spike in scams. 
What does that mean for merchants? Taking advantage of this extra precaution could remove the guesswork and replace it with peace of mind. 
Merchants can use these apps on their smartphones to help verify their QR codes by simply scanning the code with the app to test if it would take them to a legitimate or unknown URL. If the app alerts the user that the code is sending them to an unknown URL, they can then report it for inspection through the app.

3. Protect exposed QR codes.

QR codes located in easily accessible or exposed areas, like outdoor patios and street-side tables, are low hanging fruit for scammers to pick.
So why invite the risk of leaving out unmonitored codes? 
One simple measure merchants can adopt to prevent after-hours tampering is to bring any outdoor QR codes inside after close of business. 
Merchants can also better protect their QR codes by paying a little extra attention to what they place those codes on in their outdoor areas. Consider swapping out plain paper table tents that are easily replicated for card stock with a unique print, design, or content that speaks to the business. Add another level of protection by encasing the code with plastic sign holders or lamination. .

4. Train staff to monitor QR codes for tampering.

A merchant’s best defense is an educated staff. 
It’s a good practice for merchants to train staff to regularly watch for the placement, branding, colors, appearance, and wear of the QR codes. For example, if a QR code sticker looks brand new but the signage it’s living on is old, that’s a red flag. 
Aside from physical cues, it’s also a good practice to apply the same tactics used to detect phishing emails to identify risky QR code sites. If something looks off, it probably is.
A common tell is the URL name. Staff should double check the URL they're directed to when scanning a QR code. Some smartphone cameras offer a preview of the domain name before routing the user to the intended destination. Fraudulent domain names could be similar to the intended URL but contain typos, wording that is slightly different, or even display shortened versions of the real URL. 
After following the URL, staff should look out for misspelled words, pixelated logos, or strange grammar as indicators that the code has taken them to a malicious site.
If the URL isn’t exactly what it’s expected to be or the site appears suspicious, staff should report it as possible fraud to their boss. Merchants can then review the code in question and notify their local FBI field office at www.fbi.gov/contact-us/field-offices or the FBI Internet Crime Complaint Center at www.ic3.gov.
Making QR code inspection a part of staff’s daily routine will enable merchants to regularly ensure their codes won’t lead customers to dangerous sites.

5. Educate customers on cybersecurity.

The more people who are aware of QR code fraud, and how to prevent it, the better. Don’t leave customers in the dark!
To add another layer of security, merchants should empower staff to share their expertise on spotting malicious QR codes with customers. Make it a basic practice to share QR code safety information with customers who express concern and disclose the steps the business has taken to ensure the codes haven’t been tampered with.
At a minimum, staff should encourage customers to double check the QR code and inspect the full URL for anything suspicious to ensure the site is safe before entering sensitive credit card information. 

Secure solutions 

Contactless payments aren’t going anywhere. But neither are fraudsters. 
Helping merchants stay vigilant against potential fraud with these tips is crucial to creating an environment where both merchants and customers feel safe using QR codes. ISVs play an important role in making this happen, and Global Payments Integrated can help. 
We take pride in prioritizing security in all of our services. Paying by QR code is one of the many payment methods we can support. Check out our suite of payment security products to explore the possibilities.
Contact us today to learn more about how we can help ISVs incorporate QR code functionality into their software solution—safely and securely.

Erin Donnelly


Erin is part of the marketing copywriting team at Heartland, a Global Payments company. With a background in writing, editing and strategic communications, Erin works to tell meaningful stories for the small business community. In her spare time, she enjoys baking, reading and drinking copious amounts of coffee.

Erin Donnelly