The promise and perils of QR codes in banking

• Key insight: QR codes streamline payments and onboarding while creating novel phishing attack surfaces.
• What's at stake: Fraud losses, identity theft and operational disruptions from undetected QR exploits.
• Forward look: Prepare for industry-wide QR standards, signed codes and stronger MFA requirements.
  

Overview bullets generated by AI with editorial review

QR codes are growing in popularity as a way to enhance payments, assist with digital onboarding, process  loan applications and secure cashless banking. 

But QR codes also present risk to banks and consumers, as crooks redirect unwitting users onto dangerous websites designed to manipulate trust in the code they scanned.

QR code basics

QR codes place textual information into a format that virtually every smart phone can decode. Often, the code provides a URL to a website. Sometimes, the code is a phone number, an email address, payment information or simply a textual message.

These codes are opaque and meant for machines to read, not humans.

Context clues might suggest to the user what a QR code contains. Perhaps the paperwork at the bank says it's a link to an online application, or the point of sale indicates it's a payment portal. The only way to know that for sure is by scanning it.

QR codes also engender a dangerous trust-by-default mindset. Since a user can't know what a QR code contains simply by looking at it, they have to trust that scanning it will do something helpful, not harmful.

One way to mitigate these risks is at the source: The app the user pulls up to scan the code.

Mobile device makers are privy to the risks of QR codes, and few will act on a QR code before showing the user what it contains.

For example, the default iPhone camera app shows part of the URL that a QR code contains, and it doesn't open the web browser until the user taps. Many Android devices and apps have the same feature.

But often, these features are merely speed bumps that don't stop the user from hurdling unknowingly into danger.

How banks use QR codes

Banks use QR codes to facilitate opening bank accounts, accessing ATMs and for desktop authentication from mobile devices.

They are also gaining traction as a payment method for businesses and consumers, with major players including Zelle, Venmo and PayPal offering QR code functions for seamless transactions.

Fintechs like Payfinia and Matera use QR codes to initiate account-to-account payments over instant payment rails and have completed what they claim was the first QR code payment on FedNow.

These payment QR codes uniquely contain all the necessary details to complete a transaction without requiring users to disclose sensitive information like bank account numbers or phone numbers. In this way, QR codes can offer greater security over alternatives.

Beyond payments, banks and credit unions use QR codes to support marketing and promotional initiatives, linking customers to offer details or enabling the download of mobile applications to manage accounts.

The security downsides of QR codes

QR codes harbor significant risks, primarily stemming from their deceptive nature and the inherent trust users place in them.

Consumers are likely to scan QR codes without verifying their authenticity, especially when in a hurry or out of curiosity.

This automatic trust makes them an "ideal disguise for fraud," according to Schools First Credit Union, because users cannot see a QR code's destination before scanning.

Scammers also exploit trust in QR codes by physically altering legitimate QR codes. Criminals commonly place fake QR code stickers over real ones on restaurant menus, parking meters, "For Sale" signs or public transport ads.

In one case in Austin, Texas, criminals placed fraudulent QR codes on public parking payment stations, redirecting victims to fake payment portals that stole credit card information.

However, the primary threat QR codes present is quishing — a form of phishing (a deception technique) in which attackers embed malicious links into QR codes that, when scanned, direct users to sites designed to steal personal information, passwords or access to secure systems.

This form of attack is particularly dangerous because "most email security systems don't inspect the content of QR codes, especially when they're included as images," according to Netcraft, a London-based cybersecurity company. This allows the attacker to bypass traditional email filters.

Social engineering tactics are central to quishing. Attackers craft messages, often in emails or texts, that mimic legitimate communication from banks, government agencies, or trusted companies, creating a sense of urgency or offering enticing deals to prompt a hasty scan.

Other QR code-related threats include:

• Malware scams, in which scanning a QR code leads to a website that downloads malicious software onto the device;
• Payment redirection scams, in which a fraudulent QR code reroutes payments to a scammer's account instead of the intended recipient; and
• QRLjacking, a more sophisticated attack where scammers intercept and replicate legitimate login QR codes, tricking users into providing the attackers access to their account.

The impacts of these QR code-related risks can be severe for both individuals and financial institutions. They can lead to financial losses through stolen credit card data, compromised bank accounts or unauthorized transactions.

These attacks also frequently lead to identity theft, where scammers use captured personal information for fraudulent purposes, such as opening new accounts.

Organizations that use QR codes internally also face the threat of data breaches and malware infections if an employee scans a dangerous code, particularly if employees scan malicious codes on work-related devices.

How to mitigate QR code risks

The risks of QR codes should not obviate their use in all cases. Rather, they should factor into the risk calculations a bank makes when considering when and how to use them.

There are also a number of mitigating factors that banks can use to ensure they and their customers are using QR codes safely.

• Robust authentication protocols: Financial institutions should enforce multifactor authentication, or MFA, for all QR code-initiated payments and access points, according to VinciWorks, a company that offers compliance training.
  At Duke University in Durham, North Carolina, security policies state that when a QR code links to a site, that site should use single sign-on or MFA for access to combat social engineering.
• Preventing physical tampering: To combat the risk of criminals placing fake QR code stickers over legitimate ones on physical items like menus or parking meters, banks can use digital displays to show QR codes in their applications or on digital screens.
  While this does not eliminate the risk of tampering, it can make it easier for customers to spot and banks to prevent.
• Enhancing transaction transparency: For payment QR codes, the World Bank recommends that applications clearly display the merchant name and a digital signature for the user to validate a payment after scanning the code.
  Real-time notifications for both the payer and payee should also complement the service, according to the World Bank report. Verifying the payee's identity is also critical, especially in request-to-pay frameworks.

Educating consumers on safe QR code use

Banks and credit unions can also educate consumers about QR code risks and safe practices through various channels, including emails, social media, and mobile apps.

Here's how U.S. banks and credit unions communicate these risks to their customers:

• Exercise caution and contextual awareness: Consumers should approach unfamiliar QR codes with skepticism. They must question if the QR code "makes sense in this setting," according to Family First Federal Credit Union.
  Financial institutions, including Signal Financial FCU, also advise customers to be wary of codes received in unexpected emails, text messages, or physical mail. If uncertain, City National Bank advises, "ask an employee to verify it" or navigate directly to the company's official website.
• Physical inspection for tampering: Banks and credit unions also tell consumers to physically inspect QR codes for signs of tampering, such as fresh stickers placed over original codes, uneven edges, or inconsistent placement.
  Schools First FCU tells its customers, "If the edges look uneven, the paper seems newer than its surroundings, or something just feels off about its placement, you might be dealing with a fake code."
• Verify scanned payment codes before processing: This is a crucial step the World Bank advises emphasized in its QR payments report.
  Most smartphones display the destination URL after scanning but before opening. Consumers should check this preview for misspellings, suspicious domain names, or links starting with "http://" instead of the secure "https://," according to the report.
  For payment codes specifically, consumers should verify the displayed merchant name, masked credentials, and transaction details within their banking app before confirming the payment.

Banks and credit unions also advise customers to exercise broader cybersecurity hygiene practices, such as:

• Limiting sensitive information sharing by avoiding entering personal or financial information on websites accessed via QR codes.
• Keep devices up to date to ensure the latest security updates protect the user from novel threats.
• Report suspicious activity of suspected QR code scams or fraudulent activity to the financial institution, local law enforcement or authorities such as the FBI's Internet Crime Complaint Center (IC3) or the Federal Trade Commission (FTC).

QR codes can also improve security

Despite the risks, QR codes can also enhance security when implemented correctly.

Payment QR codes can improve security by containing all necessary transaction details without requiring users to disclose sensitive information like bank account numbers or phone numbers.

In a 2021 report on QR-powered payments, World Bank highlighted two examples of secure standards: CoDi, a payment platform launched by the Bank of Mexico, which encrypts the information in payment QR codes to prevent impersonation; and India's Unified Payment Interface, which uses signed QR codes that include information for verifying the legitimacy of a merchant.

The group also highlighted the QR code specification from EMVCo, used in many payment systems globally, which "does not transmit any confidential information," mirroring the security of contactless transactions, according to the report.

Unified industry standards, such as those being developed by X9 in the U.S., also aim to drive security and reduce fraud through consistent encoding and interoperability.