First of all, as most of you know, QR codes, square-shaped readable machine codes, allow consumers to download apps, launch customer service, access Wi-Fi networks and buy products. However, how many of you know what kind of fraud can actually come from QR code payment? Many analysts observed activity around the use of QR code fraud, particularly since it applies to cashless payment applications. As this type of fraud is relatively novel, it also increases the effectiveness of cyber criminals being able to carry out illicit activities through a few methods which will be shared below.

QR Code Phishing, Private Transactions, and Social Engineering Schemes

QR code fraud may be a component of typical phishing schemes, in which victims are duped into email scanning codes. With QR codes growing as a convenient way to remit payment, several other types of schemes have also emerged.

QR codes are often sent within emails as part of phishing expeditions, designed to fraudulently obtain user credentials or direct users to web sites where malware is automatically downloaded.

QR Codes as a Form of Payment Fraud

The QR codes are used to defraud individuals by inducing them to trigger unintended transfer of money to bank accounts, leak their Personally Identifiable Information (PII) or login credentials. When fraudsters have payments made to their controlled accounts, they will probably use money mules to convert payments into cash without raising suspicion. Fraudsters were observed using several methods to commit fraud of this nature:

• Fraudsters send a QR code to an individual or a public chat group, supposedly so that the target can receive money or other benefits. In fact, the QR code is a collection request, and scanning it amounts to scanning and entering a PIN.
• Fraudsters replace real QR codes with counterfeit ones. Upon scanning the code, users are directed to non-authentic and potentially malicious websites with realistic-looking landing pages. The victim may be prompted to enter a PII, or they may download malware to their phone. That can lead to fraud in online banking. In some cases, QR codes can be increased by greying out certain areas of the code, or by slightly distorting square dots in the code. This may induce the scanning device to launch certain processes or to visit unintended websites.

QR code fraud also affects cryptocurrency markets. In one example observed, a website generates a false QR code after the user enters a Bitcoin address.

QR codes used in schemes of real-world theft

QR codes are often posted as a quick and easy way to remit payments in public spaces. They are also used to transfer funds between individuals, with increasing frequency. Analysts have observed a few emerging schemes:

• Dire Situation Scheme: Typically QR code schemes involve social engineering, including in the real world. For example , in July 2019, fraudsters in the Netherlands asked individuals to pay their parking fees by scanning a QR code in exchange for cash, saying the machine was broken and therefore did not accept cash. When the victim scanned the QR code, money would be transferred out from their account. This scheme resulted in robbing tens of thousands of euros. The fraudster may be well dressed for appearing more credible in these situations.
• Second Hand Markets: In December 2019, the Chennai City Police’s cybercrime unit in India received over twenty complaints from individuals posting home goods for sale online, who were contacted by potential buyers and asked to scan a QR code to receive funds. However, after the people scanned the code, they deducted funds from their accounts. The fraudsters claimed to be personnel of the Indian Army, perhaps in an attempt to lend themselves credibility. Similar activity involving second hand online markets in Belgium has been reported.
• Ticket Payments: A Chinese individual found a ticket on his car that ordered him to scan the QR code to pay a fine of about US$ 30. The QR code — which was fraudulent — was linked to an account that had a male police officer on its profile photo.
• Small Transactions: In China, where bike sharing is hugely popular and users pay in advance to unlock a bike, criminals can replace the QR codes with their own codes on a large number of bikes. This can induce many small payments into the account of the threat actor. Many potential renters just shrug it off when the bike doesn’t unlock and move on to the next one.

Knowledge of QR code fraud may be considerably lagging, while new types of fraud continue to emerge. A survey of UK internet users showed that more than 70 percent of participants were unaware of QR code fraud or types of fraud. This, given the relative novelty of this type of threat, may not be surprising.

The global rise in cashless payments is also contributing to these trends in fraud, creating more opportunities for fraudsters to execute such schemes. China, India, some European countries and North America with high adoption of mobile payments should be aware of the risk associated with QR codes. In the last few years, QR code scams in China have risen affecting the economy.

No prolific QR-code fraudster or group has emerged at this time. However, most analysts assess with moderate confidence that groups are likely to form in the near future, due to the success of such fraud techniques.