July 15, 2026 · 4min read

QR Codes Aren’t the Problem. The Fraud Behind Them Is.

Banks and regulators are treating QR code fraud as a scanning problem, with bad actors manipulating people into scanning the wrong square. That framing misses where the real exposure sits: fraudulent merchant onboarding, weak sub-account controls, and payment flows with no room to recall funds once they’ve moved. 

Forrester reports fraud involving QR codes, SIM swaps, and fake payment apps rose 15% across APAC in the past year and the region’s most advanced regulators are already responding by targeting the ecosystem, not the scan.1

In other words, the industry is defending the wrong layer. Here’s how to correct course.

Key Takeaways

  • QR code fraud is a systemic issue rooted in merchant onboarding vulnerabilities and governance shortcomings, not just a user scanning error.
  • Regulatory frameworks in APAC are shifting liability from consumers to the institutions (banks, telcos, and platforms) responsible for the ecosystem.
  • Effective fraud prevention requires real-time monitoring of merchant behavior and payee risk, rather than focusing on the QR code as the primary threat.

The Real QR Code Fraud Vulnerability

QR codes are just a delivery mechanism. The QR code fraud happens upstream of the scan:

  • Trust is inherited, not earned. People scan reflexively because QR codes feel as safe as a restaurant menu, a parking meter, or another harmless element we encounter in everyday life. That trust is exactly what fraudsters exploit.
  • Detection tools were built for text, not images. A QR code is a picture, so it sails past the filters built for links. Mimecast alone detected over 716,000 unique malicious QR codes in email in Q3 2025 which was up 13% from the previous quarter.2
  • Once it’s paid, it’s gone. Real-time settlement means there’s no chargeback safety net. A single scan can be a permanent loss.
  • The ecosystem shares almost no fraud intelligence. Card networks spent decades building collaborative fraud-signal sharing. Most QR/APM networks still don’t have it, so bad actors can move, layer, and cash out before anyone coordinates a response.

None of this is a QR technology failure. 

It’s a merchant onboarding and payment governance failure that happens to route through a QR code.

The Intelligence to Spot a Scam. The Speed to Stop It.

Traditional fraud signals fail when victims authorize payments themselves. Learn how Feedzai's machine learning-driven engine unifies transactional data, behavioral biometrics, and global network intelligence to deliver 75% scam detection with 9:1 false positive ratio.

Learn More

The Proof: TikTok’s Sub-Account Exposure

TikTok itself isn’t fraudulent. The platform, the brand, the trust are all real. Exposure happens in sub-accounts authorized to generate advertising QR codes. Fraudsters use those legitimate sub-accounts to generate payment codes, send them to victims posing as product deals or investment offers, and once paid, the funds landed as ad credits. Funds were next withdrawn as real money.

The lesson: a completely legitimate merchant can still be the vector, if the permissions and monitoring underneath it are weak. That’s not a QR code problem. That’s a sub-merchant governance problem and it’s the same shape of risk sitting inside plenty of “trusted” platforms today.

APAC Regulators Have Already Answered QR Code Fraud Liability

The region’s most advanced scam regulators aren’t asking consumers to scan a QR code more carefully. They’re assigning liability up the chain:

  • Singapore’s Shared Responsibility Framework (MAS/IMDA, live since December 2024) uses a “waterfall” model: the bank is liable first if it failed its fraud-surveillance duties, then the telco if it failed its duties, and only then does the loss fall to the consumer.
  • Australia’s Scam Prevention Framework (active since February 2025) puts equivalent obligations on banks, telcos, and digital platforms jointly, not on the person who clicked or scanned.
  • Malaysia’s Interoperable Fund Transfer Framework (BNM, enforced by June 2028): kills off closed QR networks, forcing transition to DuitNow QR to close cross-wallet blind spots. This complements existing BNM rules that place onboarding checks and monitoring duties on Merchant Acquirers.

None of these ask “did the user verify the QR code.” Instead they question “which institution in the chain failed its duty.” That’s the shift the rest of the industry needs to make.

What Actually Stops QR Code Fraud

  1. Monitor merchant behavior, not just transactions. A merchant issuing an unusually high volume of QR codes against a low completion rate is a signal we should acknowledge before a single QR code fraud report comes in.
  2. Watch the gap between generation and payment. Legitimate use is fast and predictable. Fraud campaigns show long, erratic gaps and concentration around specific payout wallets.
  3. Score the payee, not just the payer. Real-time monitoring needs to evaluate the recipient’s risk in-flight because once the payment clears, there’s no undo.

What We Need to Ask Ourselves

It’s time to stop asking how to make QR codes safer to scan. Instead, we should be asking who was allowed to create the code in the first place and who’s liable when they should have been stopped.

Australia, Malaysia, and Singapore have already built the regulatory logic to stop QR code fraud. The industry just needs to build the detection layer to match it.

Sources: Forrester APAC fraud analysis (via ISMG/BankInfoSecurity); APWG Q3 2025 Trends Report (Mimecast QR detection data); MAS/IMDA Guidelines on Shared Responsibility Framework; Australian Scam Prevention Framework, Competition and Consumer Act amendment (Feb 2025).

Additional Resources

Footnotes

1 https://www.forrester.com/report/top-trends-shaping-fraud-management-in-asia-pacific-2024/RES181378

2 https://docs.apwg.org/reports/apwg_trends_report_q3_2025.pdf

All expertise and insights are from human Feedzaians, but we may leverage AI to enhance phrasing or efficiency. Welcome to the future.

Page printed in July 15, 2026. Please see https://www.feedzai.com/blog/qr-code-scams for the latest version.