QR code hijacking can divert donations to criminals

QR codes are immensely popular but also immensely open to fraud when they are used in public spaces and forums. Hijacking donations is one example of how bad actors can take advantage of your reliance on QR codes.

QR code hijacking can divert donations to criminals

It's not uncommon that I see campaigns on social media asking for donations for pressing and commendable human interest efforts. What has caught my eye is an over-reliance on QR codes in the shared graphics. My concern is how simple it is for people with ill intent to simply edit those graphics and share them with a different QR code. A QR code that redirects any donations to their own accounts, and exploits the trustworthiness of the person or organisation behind the campaign.

The primary dilemma is how hard it is for humans to notice differences between QR codes. Or understanding any of their content, really. And from what I've seen, there is a growing, misplaced trust in QR codes that makes many people ready to scan pretty much anything without a second thought.

Scanning a QR code really doesn't encourage people to double-check they end up in the right place. It encourages speed and not thinking too much.

If people scan a QR code on a graphic that looks like the real deal and end up on a donation page, what would make them not donate? There would have to be a considerable amount of due diligence before suspicions arise. And are people encouraged by campaign owners to be careful and look for signs of fraud? Not often.

💡
The only way for the potential donor to realise they are on the right or wrong page is if they know beforehand what it is supposed to look like and/or if they know the official web address (url) and make sure to verify this.

How does it work?

It's quite simple. Bad actors download your graphic and insert their own QR code on top of yours. Their QR code leads to a different payment gateway but is designed to seemingly support the same goal. It's virtually impossible for anyone to spot the difference in the graphic. And most people aren't even looking for a difference.

Then the bad actors publish their manipulated graphic and use words that are in support of your campaign, making it seem like they are boosting and advocating for your campaign. It's hard not to be flattered by this. You may even like or repost their kind words.

Example of two campaign images that look the same but have different QR codes. One is the original, one is fake.

Con artists will likely use their graphic in own posts on different accounts but also when commenting or reposting, trying to spread it as much as possible. Their best hope is for people to mistakenly use their version of the graphic as much as possible. Even if it's just a few people, it's a cheap scam to pull off.

Social media scenario

Imagine you are a campaign owner who has produced a graphic asking for donations, encouraging people to scan a QR code. You see someone on social media posting your graphics and encouraging to donate to your efforts. It's likely full of praise for you and your mission. It makes you happy and proud, so you republish it and thank them.

Now what if I told you that person was not actually posting your graphic, but a manipulated one with their own QR code in place of yours. So now you've repeated their version of the image to all of your own followers, essentially endorsing it and helping them in their deceptive efforts.

Recommendations

  • If you are a campaign manager,
    • don't rely on QR codes in graphics on social media,
    • print out official links with official, recognizable domain names,
    • use a landing page on your official website with a link to the payment gateway, rather than link directly to a payment gateway,
    • on social media: post the link to your own landing page, not QR codes.
  • If you are a donor,
    • avoid scanning QR codes when you are not extremely confident that it will take you to an address that you know of beforehand and can double-check,
    • ask for the official link – the full web address – to the page where donations are to be made, and double-check it before sending your money,
    • or alternatively, head over to the organisation's web page to find the campaign and donation link on the domain you trust.
  • Whoever you are,
    • don't repost graphics from accounts that are not affiliated with the campaign owner,
    • find the official channel and republish their posts about the campaign,
    • and alert campaign owners of these risks if they don't seem to be aware.

Remember, web addresses on campaign material can also be edited. This is usually more obviously found out, and especially by campaign owners themselves who can see that the address is the wrong one. That's why criminals love QR codes. But sometimes criminals are also able to register domain names that are very similar to the original ones, requiring a more close look.

All this underscores the need for a recognizable domain name for official communication. Do take this seriously to avoid publishing material that can be manipulated to funnel money to illegitimate people and organisations.