As our world becomes increasingly digitized- with the rise of food delivery services, QR Code Menus and online orders- it's more important than ever for restaurant owners and employees to become familiar with the latest threats to their business. QR scams have become particularly prevalent after the onset of the pandemic.
While there’s no method that is 100% effective at preventing and eliminating new threats to businesses and their patrons, becoming familiarized with the way scammers work can save a business- whether its family-owned or a mega franchise- from taking a hit.
1. What are QR scams and how do they work?
A QR code is really just a different way to distribute a website address. Similar to a traditional phishing scam, in a QR code, a fraudster will trick victims into believing a specially crafted QR code will lead them to a legitimate website or app, but instead it leads them to a site or app that they control.
That site may initiate a download of malware onto the visitor’s system,or attempt to fool the victim into giving up payment data or sensitive information in order to steal their identity. Earlier this year, the FBI issued a warning about the increasing prevalence of cybercriminals tampering with QR codes to direct victims to sites that steal log-in or payment information.
2. Why are restaurants particularly vulnerable?
QR codes did not immediately catch on in the U.S. One reason more people use them these days is that they facilitated contactless interactions during the pandemic – a godsend for restaurants especially. Patrons can simply scan a QR code to view a menu, order, and pay.
Since people have become more accustomed to scanning QR codes in restaurants, they may be less wary and more likely to scan a malicious QR code posted by an attacker over top of a legitimate QR code. That code may lead to a website made to look like the restaurant’s and ask the visitor for their payment information to begin their order. At that point, the customer has unwittingly given up their payment information to a criminal.
3. What can restaurants do to protect themselves and their customers?
For the most part, malicious QR codes direct victims to fake websites impersonating a trusted brand. So, restaurants should work to protect their brand online by scouring the web for impersonations of their brand online and seeing to it that those scams are taken down.
In addition, restaurateurs should regularly inspect any promotional materials posted in their dining rooms that include QR codes. QR codes may be found on stickers placed on tables, printed on tabletop promotional materials, on menus, or simply posted on walls. They should also regularly inspect the facade of their building to see if unauthorized QR codes have been posted there offering delivery services and the like. Look for signs of tampering and take action immediately if anything looks suspicious.
Consumers should consider doing the same in terms of inspecting posted QR codes for signs of tampering. Trust your gut – if the QR code doesn’t look right, don’t use it. In addition, inspect the URL of the site/app to which you’re directed and don’t be shy about asking a server to confirm that the site or app is valid. Also, take note if the site/app you’re directed to seems to be asking for more information than would be necessary for ordering food, etc.
4. What places are considered "safe" places for QR codes?
People – restaurant owners and patrons alike – should apply the same scrutiny to QR codes that they do to unexpected emails, SMS messages, social media messages, etc. Any new technology adopted by businesses to improve the customer experience will also capture the attention of fraudsters looking for ways to exploit it for monetary gain.
5. How can restaurants stay safe without ruling out the use of QR codes?
Regularly inspect any posted QR codes for signs of tampering and educating patrons about what to look for to ensure the destination site is legitimate can help. In addition, monitoring the internet for fake websites that use the restaurant’s logo, brand name or other marketing assets can help stop the problem at the source. In addition, take customer reports of impersonation scams seriously and ensure that staff is made aware of them.
6, How can restaurants guarantee their clients a QR code is legit?
No technology can really ever be 100% guaranteed secure. Handing QR codes out (such as those printed on menus) instead of posting them might mitigate the risk of tampering. This way staff can regularly inspect the QR codes before they’re distributed to customers.
7. Are there other brand/cyber scams that the restaurant industry should be aware of?
Scammers have taken notice of the increased popularity of food delivery. In some cases, scammers will publish fake food delivery service websites and fake restaurant sites to steal victims’ payment information and/or charge them for food that never arrives. In other cases, scammers will also post fake jobs to fool people into applying and giving up sensitive information about themselves.
Scammers will also create fake social media accounts impersonating a restaurant brand offering outlandish, fake promotions and directing the victim to a fake site or app that simply steals their personal or payment information.
Finally, scammers will create fake versions of a restaurant’s mobile app and publish it on third-party app stores. Instead of facilitating food orders or loyalty point management, the app will steal a user’s credentials in order to take over the victim’s account. The scammer may then siphon loyalty points or order food on the victim’s dime.