QR codes cannot ‘force’ a payment

Since the COVID-19 pandemic began in 2020 and social distancing became a common practice, contactless forms of payments have taken off in popularity. Some contactless payments use QR codes that customers can scan with their smartphones, which then allows them to pay with a credit card.

A QR code is a square-shaped barcode designed to be read by digital devices. The default camera app on most modern smartphones can read these codes, which will take the user to either a website or an app. 

One concern people have with QR codes is that there isn’t a reliable, consistent way to see what it links out to before actually scanning it and following its link, which creates opportunities for scammers to trick people.

Josh texted the VERIFY team with a question about one security concern: “I heard some QR codes can ‘force’ a payment to be made, especially if your cards are stored on your phone. Is this accurate, too?”

Can a QR code force a payment?

No, a QR code cannot force a payment. QR codes can only take you to an app to pay or to a website to checkout, both of which require the user to click at least one additional button before the payment goes through.

Whether the code sends you to a payment website or a payment app, there is always at least one additional step between scanning the code and finalizing the payment.

EMVCo, the global standards organization for card-based payments that’s collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, supports two types of QR-based payment methods, merchant-presented and consumer-presented, an EMVCo spokesperson said.

Most people think of merchant-presented purchases when they think of paying with QR codes. In this kind of purchase, the consumer scans the QR code using a mobile pay app like Google Pay or Apple Pay. Once they’ve done that, the customer will either manually enter the payment amount, or they will simply see a payment amount automatically loaded onto their screen. The consumer then confirms the payment, which might also require the user to enter a passcode, scan their fingerprint or pass another security method before the payment can go through.

In a consumer-presented purchase, the merchant enters the payment amount into an in-store payment terminal, the consumer uses an app to generate a QR code onto their phone and then the merchant scans the QR code to finalize the purchase.

“For both types of EMV QR Code payment, this means that payments cannot be ‘forced’ or made without a consumer’s knowledge,” the EMVCo spokesperson said.

Both Google Pay and Apple Pay confirm that customers must enter a pin code or open another security lock like facial ID before they can make a payment through either app. QR codes compatible with the Paypal app contain the Paypal logo at their center, and customers are prompted to confirm their payments through the app.

But there are some QR codes that take potential customers to a checkout page on a website instead of a payment app to complete their purchase.

Once on a checkout page, a customer must still input their payment information and hit a button to confirm their purchase. 

VERIFY could find no warnings from government agencies, cybersecurity companies or organizations about scammers forcing payments through QR codes, and there were no accounts of customers falling victim to such scams, either.

How scammers can use QR codes

Scammers use QR codes much the same way they use email or text message: by tricking you into entering your personal information into a phishing website, or by taking you to a link that will install malware directly onto your phone.

“At worst, a crook can download malware or direct you to a fraudulent website to try to steal your money, grab your personal and financial data or log-in credentials, and wreak havoc,” the AARP says of malicious QR codes. “Your online financial accounts, peer-to-peer payment apps, contacts, social media accounts and photos are among the things that could be compromised.”

Some scammers will paste their own QR code over top of a store’s QR code so people scanning it will end up unknowingly sending their payment to the scammer instead of the store, Trend Micro, an antivirus company, says. Scammers will also place their QR codes where people might expect to make a payment, a parking garage, for example, to again trick victims into paying the scammer instead of whoever they intended to pay.

AARP and Trend Micro offer several tips to reduce the risk of falling victim to a QR code scam:

• When scanning a QR code at a store or restaurant, double-check to make sure the one you’re scanning isn’t pasted over another QR code. You can do this the same way you would check if something is a sticker.

• If a QR code takes you to a website that requires personal information, your credit card number or checkout confirmation, double-check the website’s URL and look for misspellings on the page. If the URL doesn’t match up with what it’s supposed to be, has misspellings or the page’s contents has bad grammar, then there’s a good chance the website was setup to deceive you.

• Only use QR codes to pay trusted merchants or people you know.

More from VERIFY: Yes, scammers can use QR codes to steal your personal information