After cities in Texas noticed fake QR stickers on parking meters that divert payments to scammers, other cities began issuing "quishing" alerts.
During the COVID-19 pandemic, people have become accustomed to using their smartphone cameras to scan small black-and-white square barcodes, allowing them instantly to do everything from access restaurant menus to pay bills.
Scanning a Quick Response, or QR code, is convenient and easy. And it is contactless, which can make people feel safer in public places such as restaurants, many of which substituted the codes for paper menus.
But cybersecurity experts say QR codes also created new opportunities for fraudsters, who can tamper with them and direct victims to malicious websites to steal their personal and financial information.
“During the pandemic, they looked at how people were engaging and ways to manipulate that,” said Angel Grant, who tracks QR code fraud as vice president of security at F5, a Seattle-based app security company. “Cybercriminals always look for disruption to cause disruption.”
One of the newest QR code scams has targeted drivers at pay-to-park kiosks in several large Texas cities.
The scammers slapped stickers with fake QR codes on the pay stations. Drivers who scanned them were directed to a website that asked them to enter their credit card or bank account information.
Just this month, another fake QR code scam targeting drivers popped up in Atlanta. Officials there reported that drivers were finding fake parking tickets with QR codes on their cars, directing them to a phony website. Real parking tickets in Atlanta don’t use QR codes.
And sham QR codes aren’t just showing up in parking-related scams. They’ve cropped up on billboards, online ads and in phishing emails, which are designed to trick people into divulging personal information.
Last month, the FBI issued an alert about cybercriminals tampering with QR codes to steal login and financial information. It said the codes not only can redirect payment using phony links but also can contain embedded malware that lets a criminal gain access to a victim’s mobile device and financial and personal information.
“It is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code,” the FBI warned. “Law enforcement cannot guarantee the recovery of lost funds after transfer.”
While there is no data on how frequently QR code fraud occurs nationwide, the Better Business Bureau has been seeing a spike in reports about it in the past year. In July, it issued an alert, saying that people may get an email, a direct message on social media, a text message or a piece of mail with a fake QR code. Scanning it can send them to a fraudulent website or automatically launch a payment app.
Among the scams are those dealing with student loans and cryptocurrency.
“Scammers hope you will scan the code right away without taking a closer look,” the organization said.
Grant, of the app security company, said she started noticing a surge in QR code scams during the pandemic.
“We saw a huge increase of people using QR codes because of the convenience and the contactless experience,” she said.
Some of the scammers target people looking for coupons or promotions online or send them an email saying to scan a code to pay their bill, she said. Fraudsters have even struck at restaurants, where they’ve replaced real QR codes taped to the table that patrons can use to pay for their meal.
“A lot of people have heard of phishing or smishing,” she said, referring to phishing that uses text messages. “This is quishing—using a QR code.”
Grant said she’s also seen more forums on the dark web dedicated to helping cybercriminals understand how they can use QR codes to scam people.
“It’s a balance between security and convenience, and people aren’t thinking twice about QR codes,” she said. “Most people have been trained not to click on something in an email, but we really haven’t been educated about QR codes. If you see one taped on the table at a restaurant and it doesn’t look right, don’t scan it. Just ask for a menu.”
The Texas cities that found fake QR codes on their pay-to-park kiosks have hands-on experience dealing with this new form of scam.
Officials first discovered the scheme in San Antonio in late December, and the following month, in Austin and Houston.
“It’s unfortunate that this scam happened in Austin,” said Jason Redfern, the city’s parking manager. “It’s definitely taught us some lessons and showed us a vulnerability that we’re working very hard to close the loop on, so people will know not to scan the QR code.”
Although it appears that so far only Texas cities have been hit by the scam, the Massachusetts State Police issued an alert last month to cities and towns.
“This scam is enticing because QR codes are known for speed and convenience, so a user might prefer this type of payment method to the use of cash or credit card at a pay station,” the agency warned.
In Framingham, Massachusetts, police put out a similar warning, noting that the city does not use QR codes.
Nor do any of the three Texas cities that have experienced the problem.
San Antonio Police Lt. Marcus Booth told reporters in December that the QR code stickers were sprinkled on 20 to 40 parking pay stations downtown. He said he thought some drivers had used the phony website and been victimized, although he didn’t know how many.
Police spokesperson Mariah Medina told Stateline the department had no additional comment because it is an open investigation.
After San Antonio was struck, officials there notified other Texas cities.
Redfern, Austin’s parking manager, said staffers checked all of the city’s 900 pay station kiosks in January and discovered phony QR stickers on 29 of them, mostly downtown.
The scammers’ web address was somewhat similar to that of the real company that processes payments for city parking, but instead of a .com address it used .xyz, which was a red flag, he said.
Redfern said the city had considered using QR codes for its parking but decided against it. “We were concerned about fraud. And rightfully so, it turns out.”
Parking officials notified the Austin Police Department and the city’s court system, in case people thought they had paid for parking when they hadn’t. So far, Redfern said he hasn’t heard that anyone got scammed.
The city is fighting back against the fraud. Now, when drivers touch the kiosk screen to pay, a warning about the QR code scam pops up. Officials also will be adding similar language to pay-to-park signs along streets, Redfern said, and will be placing stickers on all 900 pay stations showing a QR code with an X through it.
Austin, like many U.S. cities, allows drivers to use a credit card or cash to pay for parking. They also can use a city parking app that ties their license plate to their credit card, Redfern said. But it requires multi-factor authentication, a security technology that confirms identity before someone logs in, usually through a randomized one-time password or number sent to a smartphone or email address.
In Houston, which also uses a credit card, cash or app system, Maria Irshad, assistant director of ParkHouston, said staffers found 10 phony QR code stickers on its more than 900 pay stations last month.
Now, when staffers service or collect money from parking kiosks, they routinely check to make sure there are no unauthorized stickers.
“It seems like the pandemic brought QR codes to the forefront where people got comfortable using them,” Irshad said. “But consumers need to be aware of what sites they’re going to. There are bad actors out there.”