Contactless payments are at the centre of most businesses these days, but keeping them secure is equally as important as convenience. QR codes may well be the future of UK payments, but some users have concerns about their code security. Now, firstly, QR code scams aren’t massively common, but they can happen. From tampered codes to data breaches, it’s essential to know how to keep payments safe and secure. Plus, business owners have a responsibility to follow customer data security rules in the UK. Otherwise, there may be trouble!
But it’s not all doom and gloom, and the positive benefits of QR codes outweigh the negatives. So, let’s find out about some of the main QR code security risks businesses may face in 2024 and how to protect your customers from them.
In this article, I will explore:
- The security risks associated with QR codes
- How to identify and avoid any suspicious activity
- How to secure QR code payments in your business
What are QR code payment security risks?
QR codes are exploding in popularity for contactless payments, offering convenience for both businesses and customers. However, their ease of use can create security vulnerabilities. Hackers are exploiting these weaknesses to launch attacks, potentially putting customer data security and your business reputation at risk.
While QR codes themselves are harmless, they can be manipulated and directed to malicious websites, potentially compromising your device’s security and causing data breaches. Let’s identify some of the most common QR code attacks…
Different types of QR code attacks in 2024
QR code phishing attacks, also known as “quishing, “ involve fake QR codes that redirect to phishing websites designed to steal your login credentials, credit card information, or other sensitive data. These websites often mimic legitimate ones, making them even more deceptive. Research by Security Magazine showed a 51% increase in quishing during September 2023 compared to the eight months before. A sample of these incidents revealed most quishing attempts involved fake Microsoft two-factor authentication (2FA) resets attempting to gather users’ email addresses and passwords.
Overlay attacks can be used to trick customers into using fake payment pages or signing up for subscriptions without realising. Imagine a QR code on a parking meter but a transparent malicious code layered on top, redirecting users to pay for fake parking fees.
Social engineering attacks might involve messages claiming undelivered packages with a “track now” QR code that, when scanned, leads to malware.
Therefore, it’s essential to be cautious when scanning QR codes from unknown sources and to always verify the destination of the QR code before proceeding.
Dynamic vs static QR codes: which is safer?
Static QR codes can be less prone to manipulation: Once generated, their content cannot be changed, making it harder to replace with harmful versions. However, they lack extra security measures like password protection or two-factor authentication or control over who scans the code and where it leads.
Dynamic QR code content can be changed, allowing attackers to replace it with malicious links. However, they often offer password protection, two-factor authentication, and access control for added security. Better tracking and analytics allow you to track scans, monitor usage, and even change the destination.
So, which is best for your business?
Static codes might be the answer for sharing simple information with a low risk of manipulation. If you need additional security features, tracking, or content updates, try using dynamic codes.
The impact of poor QR code security on your business
Poor QR code security can damage businesses and their finances. Fraudulent transactions can result in stolen bank details, leading to chargebacks and financial losses for the business. Also, if a suspicious code leaks customer data, your business could face fines and legal fees associated with potential lawsuits. Understandably, a security incident like this can damage a business’s reputation, leading to a dip in customer trust and loyalty.
And it’s not just customers who face the wrath of poor security. If employees with your business scan fake codes, their devices can become compromised, which may lead to system and productivity downtime. Security incidents can create stress and anxiety for employees, impacting their performance.
Plus, some unwanted costs may follow, including adding tighter security measures to prevent future attacks. Damaged customer relationships may follow, as negative publicity can deter customers, leading to decreased sales and revenue. Additionally, businesses may face regulatory action depending on the nature of the data breach and the industry they operate in.
By taking steps to educate employees and customers about the risks of QR codes and maintaining them, businesses can avoid these risks and protect their profits.
QR code security checklist for business owners
How you create and maintain QR codes in your businesses really depends on which payment provider you are using. The steps below take an overall view of QR code security to try to keep you safe but keep in mind additional measures may be required depending on your service and needs.
- Double-check: Before scanning, manually cross-check the URL in the QR code. Any discrepancies can suggest fraud or tampering.
- HTTPS: Check the destination URL starts with “https://” for a secure connection. Avoid unencrypted links, e.g. “http://”
- Beware of free generators: Free online QR code generators may insert ads or track users. Use reputable generators with security features. We always provide your business with official codes.
- Educate employees: Train staff on QR code security practices and remind them to avoid scanning unknown codes on their devices.
- Update regularly: If you use dynamic codes, update them regularly to prevent outdated information or security vulnerabilities.
- Monitor your analytics: Track QR code scans to identify suspicious activity.
- Report phishing: If you find a suspicious QR code, report it and remove it immediately.
- Stay vigilant: Update your knowledge about evolving tactics used by cybercriminals.
💡 Use Strong Customer Authentication (SCA) and a multi-factor authentication system to access sensitive information linked to your QR codes.
A quick guide to secure QR scans in the UK for customers
1. Check the source: Scan codes from trusted sources like official company websites or payment providers. Be wary of codes on random flyers or online posts.
2. Preview the URL: If possible, hover your camera over the code. Some apps display the destination URL before scanning. See if it looks legitimate, and avoid following shortened URLs.
3. Use a secure scanner: Consider apps with security features like URL verification and malware warnings or scan our QR codes using Atoa Pay.
4. What’s the destination? Before adding any information, compare the displayed URL with the site address you expected to see. Look for typos or anything unusual.
5. Never enter sensitive data: Avoid entering passwords, credit card details, or other sensitive information on websites accessed through QR codes. For example, we never ask for your bank details.
Remember: Follow the steps, stay informed, and only use trusted sources for secure scanning.
Think you scanned a bad QR code?
Don’t panic, but act fast!
1. Disconnect: Turn off Wi-Fi and Bluetooth to stop any data from transferring.
2. Close apps: Shut down anything that launches automatically.
3. Scan your device: Run an antivirus scan for malware.
4. Report the code: Tell the business where you found it.
5. Reset passwords: Update logins for any compromised accounts.
6. Monitor activity: Look out for suspicious or unrecognised transactions.
7. Stay safe: Enable two-factor authentication and update your device’s software.
How we can help
While it’s great to be educated, Atoa lets you forget QR code security issues that are damaging your business. Atoa offers a secure, PCI-compliant payment solution powered by secure open banking technology. We put safety first so you can deliver a winning experience for your customers.
- Lower fees, higher cash flow: Give steep card processing fees a miss with Atoa’s unbeatably low rates, helping you keep more money in your pocket.
- No chargeback: Biometric face and fingerprint checks remove unauthorised transactions, meaning no costly chargebacks biting into your profits.
- Reduced costs: Contactless QR codes and payment links mean no card machines to buy or maintain.
- Happy customers and better sales: Rely on our secure and convenient payments that build trust and pave the way for return visits.
Are QR code payments secure?
QR code payments are generally very secure, as they use encryption and secure protocols. This protects sensitive data during transmission and prevents unauthorised access. However, users should avoid scanning QR codes from unknown sources, as they may contain malicious links or phishing attempts.
Are QR codes safer than barcodes?
QR codes offer different security advantages and disadvantages compared to barcodes, including larger data capacity for encryption and authentication. Plus, unique codes can be generated for each transaction, reducing the chance of spoofing.
Is it safe to scan a QR code on a restaurant menu?
Scanning menu QR code menus is convenient, but always be careful. Make sure it’s a restaurant you trust, and check the URL to minimise risk. Remember, if in doubt, ask the staff for a physical menu.
What are the regulations around using QR codes in businesses?
There are no concrete regulations around using QR codes in the UK. However, several existing regulations come into play depending on how you use them, including the General Data Protection Regulation (GDPR). You must follow GDPR rules for data collection, storage, and security. Be transparent about how data is used and get clear consent from customers. If QR codes are used for payments, check your chosen payment provider complies with the Payment Services Regulations 2017.