As amazing and practical as QR codes may be, fraudsters have taken notice of their popularity. Similar to an email phishing scam, a QR code scammer will create their own QR code that purports to direct a user to a legitimate site, but instead sends the victim to a malicious URL.
That URL may download malware onto the visitor’s system, or convince the victim to provide payment or other sensitive data in order to steal their identity. The FBI recently warned of the increasing prevalence of QR code scams aimed at stealing credentials or payment information from victims.
- How do QR scams work and what makes restaurants particularly vulnerable to these?
Some people’s first experience with QR codes occurred at restaurants during the pandemic because they allowed for contactless interactions. It’s hard to argue with their convenience – patrons simply scan a QR code to view a menu, order food and pay their bill.
Because of the seamless experience, however, customers may not apply the same scrutiny to the website or mobile app that a QR code directs them to. If the malicious QR code destination impersonates the restaurant brand, the visitor may enter their payment information without thinking twice. But, at that point they’ve essentially handed over their payment card to a criminal.
- Is there a way to take down the fake website QR codes lead to?
Absolutely. If a business identifies a website abusing their brand to defraud its customers, they can take a number of actions. Many businesses, however, only identify a fake website after a customer has called to complain about fraud.
Online brand protection technology, however, finds online scams before a single person falls victim. That’s because scams are found when an attacker is still configuring and testing the site. Online brand protection vendors have also built trusted relationships with internet service providers, registrars and more to increase website takedown success rates and reduce the time it takes to knock down a malicious website.
5. What can be done once a fake website is found?
If you have not contracted with an online brand protection vendor, once you’ve identified a fake website, report it to the search engines, relevant hosting providers, antivirus vendors and other relevant providers. Be sure to gather evidence of the fake website such as screenshots.
Then, identify the hosting provider and registrar for the fake website and research their abuse reporting process. Finally submit the takedown request and continue to follow up. For more details, see our guide to online brand protection. If website takedown is not a core competency of your organization, contract with an expert – it will save you time and money and protect your brand and customers more effectively.
- Are hotel guests targets too?
Unfortunately, yes -- any patron of a business that uses QR codes as part of the customer experience might be targeted. In addition, hotels may make more use of QR codes than restaurants. Be sure to look for suspicious QR codes posted near ATMs, vending machines, and anywhere else there may be payment interactions that are not facilitated by a staff member.
- What are the potential consequences for both customers and businesses?
Regardless of whether the business has done anything wrong, 63% of consumers blame that business for phishing attacks or spoof websites that impersonate its brand. In addition, customers that don’t trust a business will spend less money there, (if they ever buy there again) and will dissuade others from buying there.
- What are other brand and cyber scams that the hospitality industry in general should look out for?
As interactions with restaurants, hotels, bars, etc. increasingly involve online interactions, scammers are continually on the lookout for ways to exploit consumers’ trusted relationships businesses.
They will publish fake websites impersonating a hospitality brand to steal victims’ payment information and/or charge them for goods or services that they never receive. Scammers have also begun posting fake jobs to fool people into giving up sensitive information about themselves as part of an application.
When it comes to social media, fraudsters also create fake social media accounts impersonating a brand and promoting outlandish, fake discounts that then direct the victim to a fake site or app that steals their personal or payment information.
In other cases, scammers will create fake versions of a business’s mobile app and publish it online. Instead of allowing a user to manage their loyalty account, for example, the app will steal the customer’s credentials in order to take over the victim’s account. The scammer may then make use of or steal loyalty points.
- What are the most proactive ways the hospitality industry can stay safe and protect their customers?
Most hospitality businesses interact with or advertise to customers in some way online. It’s more important than ever to know whether unauthorized parties are making use of their brand online to defraud your customers.
Advances in online brand protection technologies have made it easier to look for impersonations of your brand online across websites, social media platforms, and third-party mobile app stores. And in many cases, thanks to the benefits of artificial intelligence and automation, many of these scams can be caught closer to the beginning of their lifecycle and stop fraud before it starts.
About the Author
Josh Shaul is the CEO of Allure Security.He is known as a visionary security leader with expertise in building teams, creating strategy, and driving growth for security companies of varying sizes. He is passionate about providing comprehensive digital protection to businesses while inspiring trust and confidence in their customers and clients. He is recognized as a leader with strong diplomatic skills, a natural affinity for cultivating and nurturing global relationships and for possessing unwavering personal ethics and integrity.