A closeup of a phone with a QR code on the screen

5 ways you can protect your small business clients against QR code scams

Friday, September 02, 2022

Quick Response (QR) codes are on the rise.

Also on the rise? QR code fraud.

While QR codes might seem like they popped up overnight, they’ve actually been around since 1994. So why the sudden growth? One major factor is the pandemic.

With the increased demand for touch-free transactions, social distancing and safe check-out experiences brought on by the coronavirus, QR code tech has resurged in popularity amongst restaurants, retail stores and other businesses.

According to the Global Payments 2022 Commerce and Payment Trends Report, 60% of merchants plan to take QR code payments this year alone. And by 2025, QR code payment users are expected to exceed 2.2 billion, equating to 29% of all mobile phone users globally.

But small business owners and customers aren’t the only ones who have their eyes on QR codes. Earlier this year, the FBI issued an alert, warning of a significant spike in QR code cybercriminal activity.

With QR code use steadily climbing, ignoring the threat that comes with it is no longer an option. To ensure your clients — and their data — are protected, consider making it a top priority to educate them on how to prevent QR code scams.

Keep reading to find out:

First things first. QR codes: Why are they so popular?

QR codes offer a wide range of uses for small businesses, from social media to personalized in-store shopping, contactless restaurant menus, product packaging, coupons, gift cards, loyalty cards and more.

One of the areas where QR codes shine most is payments.

With the ability to scan from both paper and screen via a smartphone camera, all customers need to do to check out is pull out their phone, scan the code and pay online. This keeps the payment process on their personal mobile device, and in their own hands, the whole time.

Sounds great, right? Well, it’s not all black and white. The reality is, where there’s an advancement in payment technology, there’s also a shiny, new target for fraudsters.

A closeup of a customer using their phone to scan a QR code to pay for coffee

QR code payments fraud: How does it work?

Scammers are exploiting this technology in two major ways:

  1. Overlaying a legitimate QR code with a fake code that sends consumers to a malicious site the scammer controls, inviting consumers to input their payment information.

  2. Using altered codes to download malware onto the consumer’s smartphone when they scan the fake QR code, gaining access to the victim’s device, bank accounts and more.

The goal of these scams? To steal personal data and financial information from the consumer.

Don’t hit the panic button yet. There’s good news: You can take plenty of steps to help your clients stop QR code fraud in its tracks.

5 defenses against QR code fraud

QR code icon

1. Create unique QR codes with customized branding.

With free QR code generator sites, creating codes is easier than ever — for your clients and hackers. One of the best ways to make QR codes more difficult for fraudsters to replicate is to incorporate unique branding.

To increase security, it’s best to instruct your clients to stay away from premade elements offered in the QR code generator’s gallery. Instead, you should encourage them to place a specialized, high resolution illustration or icon like a proprietary logo with the business name or mascot in the center of the code. They can even customize the design of the data pattern and reshape the edges of the code itself to further distinguish it from generic ones.

Another way to customize? Move beyond black and white! Let your clients know they can play with the color palette and colorize the code with their business’ signature brand colors. They can also add distinctive frames around the QR code, displaying colorful borders and a clear call to action. The background of a code can be altered as well with an image, shape or solid color.

The less generic a code looks, the more difficult it will be to replicate. But be sure to warn your clients not to over-customize their QR codes and compromise readability!

QR code audit icon

2. Audit current QR codes.

The next step is to have your clients audit all their existing QR codes for signs of tampering. This can include overlaying a physical QR code with a sticker of a fraudulent QR code or altering a legitimate code to redirect customers to a website the hackers control.

A thorough audit should cover not only checking for signs of physical misuse, but testing out the URL and online form of every QR code displayed in the business.

When conducting an audit, using a QR code verifier can be a big help. Several antivirus companies have created QR code fraud-detection apps in answer to the spike in scams.

What does that mean for your clients? Taking advantage of this extra precaution could remove the guesswork and replace it with peace of mind.

Business owners can use the app of their choice on their smartphones to help verify QR codes by simply scanning the code with the app to test if it would take them to a legitimate or unknown URL. If the app alerts the user that the code is sending them to an unknown URL, they can then report it for inspection through the app.

Lock icon

3. Protect exposed QR codes.

QR codes located in easily accessible or exposed areas, like outdoor patios and street-side tables, are low hanging fruit for scammers to pick.

So why invite the risk of leaving out unmonitored codes?

One simple measure you can encourage your clients to adopt to prevent after-hours tampering is to bring any outdoor QR codes inside after close of business.

They can also better protect their QR codes by paying a little extra attention to what they place those codes on in their outdoor areas. Tell your clients to consider swapping out plain paper table tents that are easily replicated for card stock with a unique print, design or content that speaks to the business. They can add another level of protection by encasing the code with plastic sign holders or lamination.

Training icon

4. Train staff to monitor QR codes for tampering.

A small business’ best defense is an educated staff.

It’s a good practice for your clients to train their staff to regularly watch for the placement, branding, colors, appearance and wear of the QR codes. For example, if a QR code sticker looks brand new but the signage it’s living on is old, that’s a red flag.

Aside from physical cues, it’s also a good practice to apply the same tactics used to detect phishing emails to identify risky QR code sites. If something looks off, it probably is.

A common tell to educate your clients on is the URL name. Their staff members should double check the URL they're directed to when scanning a QR code. Some smartphone cameras offer a preview of the domain name before routing the user to the intended destination. Fraudulent domain names could be similar to the intended URL but contain typos, wording that is slightly different or even display shortened versions of the real URL.

After following the URL, staff should look out for misspelled words, pixelated logos or strange grammar as indicators that the code has taken them to a malicious site.

If the URL isn’t exactly what it’s expected to be or the site appears suspicious, your clients should establish a protocol for staff to report it as potential fraud to their manager as soon as possible. Your clients can then review the code in question and notify their local FBI field office or the FBI Internet Crime Complaint Center.

Advising your clients to make QR code inspection a part of their staff’s daily routine will enable them to regularly ensure their codes won’t lead customers to dangerous sites.

Cybersecurity icon

5. Educate customers on cybersecurity.

The more people who are aware of QR code fraud, and how to prevent it, the better. Don’t let your clients leave customers in the dark!

To add another layer of security, your clients should empower their staff to share their expertise on spotting malicious QR codes with customers. They can make it a basic practice for staff to share QR code safety information with customers who express concern and disclose the steps the business has taken to ensure the codes haven’t been tampered with.

At a minimum, your clients’ staff should encourage customers to double check the QR code and inspect the full URL for anything suspicious to ensure the site is safe before entering sensitive credit card information.

A closeup of a customer using their phone to scan a QR code to pay for coffee

Secure solutions

Contactless payments aren’t going anywhere. But neither are fraudsters.

Helping your clients stay vigilant against potential fraud is crucial to creating an environment where both small businesses and customers feel safe. You can play an important role in making this happen, and we can help you do it.

Heartland offers industry-leading security solutions that enable you to stay a step ahead of cybercriminals, so you can keep your clients’ businesses and data safe. Check out our offerings and start connecting your clients to security tools they can rely on.

Not a Heartland dealer yet? Become part of the Heartland dealer channel today and discover all the ways we can help you grow your revenue stack.


Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at Heartland.us.