QR Codes may be an increasingly common point of convenience in touchless payments, but consumers and businesses had better be prepared for the rising risks of account takeover and CNP fraud that come with them.

Short for “quick response,” QR codes—those quirky, black-and-white squares you scan with your smartphone—are 2-D barcodes used to instantly access product information, download coupons, dial up a call center, board an airplane, or make direct purchases. First popularized in Japan nearly 30 years ago, they’ve gained new traction in the COVID era. Restaurants and retailers worldwide have been adding these little markers to a growing number of other touchless payment options to help customers avoid germ-laden surfaces.

They’re a hit with shoppers and patrons. According to ThreatPost, 47% of consumers in the US and UK report an increase in their QR code use during the pandemic. About 84% have scanned a QR code in the past year, with 32% having done so in just the last week. Sixty-four percent say they make life easier in a don’t-touch world.

But QR codes also come with dangers. For one thing, they present a tempting new attack vector for fraudsters who’ve stepped up phishing scams across email, SMS, social media, and more. But because they initiate immediate action, QR codes may be vulnerable to especially onerous threats.

QR Codes: Caveat Emptor

To most of us, QR codes all look the same, so it’s hard to verify if the QR code you’re scanning is legitimately from the business, or if a bad actor has replaced it and is misdirecting customers to a phishing site or initiating a fraudulent payment. While it may not seem like a big deal, even an email address can prove value for fraudsters on the dark web. So what about a direct link to the personal device in the hands of virtually every man, woman, and child?

The Better Business Bureau, for instance, is warning that malicious QR codes are being used to point consumers toward phishing sites that prompt you to enter personal information, download malware, or follow fraudulent social media accounts, or launch payment apps. Additionally, the BBB says bitcoin addresses are often sent via QR codes, which means QR codes are now an element of cryptocurrency scams.

Specifically, things consumers should watch out for QR codes that:

  • Appear to be tampered with, or appear to be affixed as a sticker over an existing QR code
  • Are printed on flyers or other easily-replicable material that could be produced by fraudsters
  • Points the user’s browser to shortened URL when scanned; it could be hiding a malicious link

The BBA also advises that consumers install a QR code scanner with anti-virus capabilities to check the safety of scanned links before they’re opened. But fair warning: Consumers aren’t the only ones who should be on the lookout.

CNP and ATO Fraud: Protecting Your Business

As touchless tech and mobile payments become more prevalent, businesses should be aware of the different types of fraud that can occur when using QR codes—and how they can take measures to prevent fraudsters from gaining access to sensitive customer information or payment details.

Card Not Present (CNP) and Account Takeover (ATO) fraud, for instance, are two types of risk that can root from QR code vulnerabilities. These types of attacks can occur when bad actors use QR codes to impersonate a brand or business in order to collect customer information such as login credentials and email addresses that can then be used in an account takeover attack, or credit card numbers or using payment data for card not present or online payment fraud.

Losses from card-not-present (CNP) fraud alone topped $6.4 billion in 2020—and could increase another 16.4% by year’s end. Meanwhile, account takeover (ATO) attacks accounted for another $16 billion in loss in just the U.S. last year, up 300% from 2019.

To prevent attacks like these, businesses can add validation and verification steps to login ports accessed through QR code scans. They can also use anti-fraud products that leverage geolocation and behavioral data to help identify fraudulent activity and suspicious logins.

The Keys to Fraud Prevention

One key is to choose options that accurately detect these forms of fraud without causing false positives or slowing down legitimate customers.

Our own solution, for instance, leverages the EMV® 3-D Secure protocol to authenticate users transparently, and goes beyond measuring logins and activities against legitimate customer purchase behaviors at the stores, restaurants, and other businesses they frequent.

By augmenting this information with identity and transaction data from every industry and geography worldwide, we’re able to prevent 95% of all fraud loss while interrupting just 5% of transactions and logins for further scrutiny. That’s the best performance in the industry. But in our view, it’s also just the beginning.

That’s because customers who fall victim to ATO or CNP fraud won’t just fault the perpetrators. They’ll blame the brand or business for failing to protect them. To maximize anti-fraud efforts, we also offer services that detect and take down the phishing sites, fraudulent social media pages, and imposter mobile apps used in these attacks.

Bottom line: QR codes can add a whole new level of ease and convenience for tough-averse customers—as long as they’re fast, frictionless, and secure.

To learn how Outseer can help you protect QR code users from CNP and ATO fraud while protecting your business from malicious impersonation, request a free demo today.

Jim Ducharme

Chief Operating Officer

Jim is responsible for product strategy and leads the associated product management and engineering teams at Outseer. He has nearly two decades of experience leading product organizations in the Identity marketspace, and has held executive leadership roles at Netegrity, CA, and Aveksa.