With any new technology, there will always be new pirates to take advantage of those who haven’t yet caught up. Although they’ve been in use for decades, now, QR codes are an example. They’re easier to fake than emails, simpler to manufacture than fake social posts, and all you need is some good, old-fashioned glue so you can paste them over a legitimate code.

The Parking Scam

Imagine the thrill of finding a parking spot on the street right next to your office. You walk up to the pay-station and like a good citizen you pull out your phone to pay. Oh cool, there’s a Quick Response (QR) code. You’ve been seeing those everywhere since Corona hit. Touchless payment—clean and quick. You scan the barcode with your phone and go on your merry way to work.

When you come out of your office, you are surprised to see a parking ticket on your car. Upset, you log into your account to see that you paid and that’s when strange things start to happen. On the city’s official parking site, you see no record of your payment. Frantic, you open your bank account to see if you were charged for parking by Quick Pay Parking.

Retracing your steps over and over in your mind, you finally stumble upon the QR code you scanned, but it was attached to the parking pay-station itself! A call to the city’s 311 confirms that there are over 100 fraudulent QR phishing codes on pay stations throughout the city of San Antonio.

San Antonio, Houston, and Austin have been frantically trying to remove the fake QR phishing codes and to alert the public to the scam. San Antonio Police Lt. Marcus Booth said he thought drivers had used the phony website and were victims of hackers, although he didn’t have a number yet.

Too easy to fake

QR codes are an old technology that have been around for 27 years. They started off as a scanning device to keep track of cars on Japanese manufacturing lines. As a public payment tool, their popularity waned until Corona hit. People, who were suddenly anxious and fearful of touching potentially infectious surfaces, didn’t want to touch menus or screens, and so the return of the QR codes.

“See our menu from the contactless safety of your phone.” It sounded great and worked, but that’s the thing with scammers: they attack using the latest news and trends. Hackers have caught on to the renewed use of QR codes and created QR phishing codes with fraudulent links.

Most cities, including the three targeted Texans, don’t offer payment by QR code because they’re just too easy to hack. The problem is that the public doesn’t know this. Add in the explosion in use of QR codes as a contactless technology. This sum equals a catastrophic situation for shoppers. Now, the FBI has gotten involved and issued a warning to customers about paying with QR codes.

People are trained to look at emails cautiously, but we don’t seem to apply that same logic to QR codes. I’m in a store, I see a sign, it’s on a payment station so it must be OK. Right? Wrong!

Coming to a sticker near you - how QR fraud works

It’s very easy for a hacker to enter a place of business and attach a fake QR code above a real one. Victims don’t notice the URL that’s slightly off or the QR code that’s actually a sticker. The links can direct you to malicious sites that trick you into sharing your credit card information and passwords, or else upload malware to your phone. With malware, hackers can access your mobile device and steal money from your accounts.

While this fraud originated in Texas, it’s not expected to end there. Parking meters and QR codes are everywhere, and because QR codes are touchless, they are here to stay.

How to protect yourself from QR fraud:

  • Be alert to what you are scanning
  • Look at the URL before entering information
  • Use an extension that protects your phone from malicious sites