The shift to digital banking and payments is enabling cybercriminals to steal consumers’ login and financial information using quick response (QR) code manipulation. The FBI has responded, issuing a warning and associated guidance on QR code payments for consumers, leading companies and analysts alike to reexamine the state of play.

QR codes — a type of matrix barcode — are being leveraged by service providers from public parking garages to restaurants, as well as for real-time and contactless payment solutions. Fraudsters can create new QR codes or manipulate and attack existing ones, giving them access to sensitive financial information at the point of payment, Zilvinas Bareisis, head of retail banking at Celent, told Bank Automation News.

“Many QR codes don’t initiate the payment directly, but instead take the customer to a checkout site where they present their payment details,” Bareisis said. “Intercepting those payment details for subsequent fraudulent use is the main concern, along with installing malware on consumer devices.”

The increasing acceptance and ease of use of QR codes can come at a cost, said Steve Goddard, fraud market expert at machine learning anti-fraud vendor Featurespace.

“QR codes are increasing in popularity across the globe, and the benefits to the consumer are evident,” Goddard told BAN. “However, fraud concerns have grown in tandem. Fraudsters can take advantage of security flaws in a developing sector, which creates risk for both the consumer and financial institutions.”

The FBI warning specifically mentions QR codes as a vector for both fraudulent payments and malware, which allows cybercriminals to retrieve personal information from victims, steal their passwords and gain access to other applications.

The risk for banks is decreased consumer confidence if fraud continues uninterrupted for customers. Education for consumers is key, Jeff Pollard, analyst at Forrester, told BAN.

Banks need to “provide training, support and walkthroughs to help explain what to look for, what might be suspicious, and what to avoid,” he said.

Bank Automation Summit, taking place March 1-2 in Charlotte, N.C., is the first and only event to focus solely on automation in banking. The event will feature the brightest minds from across financial services on intelligent automation strategies and deployment. Learn more and register for Bank Automation Summit 2022.