Share on Social

A person scanning a QR code to board a public transit bus.

Fast Ride

  • Quick Response (QR) codes are a convenient, safe, and contactless way to share information about products and services
  • Transit providers can use strategic marketing campaigns to educate riders about how to protect themselves from QR code phishing scams
  • Informing riders about data collection policies, URL red flags, and signs of QR code tampering will increase their awareness of malicious websites

There was a moment in time pre-pandemic when it felt like Quick Response (QR) codes were going the way of Zune, MapQuest, TiVo and other tech innovations that had long passed their expiration date. Ask your average person the last time they used their smartphone to scan a QR code prior to the pandemic, and you’d probably spend the rest of the day explaining what a QR code actually is.

When COVID-19 introduced us to “pandemic life,” and fast contactless experiences became a necessity, the QR code became useful. Scanning a QR code became the first step for people to order food at a restaurant or review a vehicle’s CarFax report at a dealership. Because these jumbled black and white boxes are now synonymous with best practices for public health, as well as being low-cost and user-friendly, they are essential for many customer-facing industries and services.

QR Codes and Transit

Transit is riding the QR train (bus?), so to speak. Transit providers use QR codes to support mobile ticketing, share schedule information, communicate passenger safety protocols, and more. Walk down a city street and you’ll see QR codes on bus stops, micromobility hubs, and parking meters. QR codes (which can be made using a QR Code generator) are a great tool to share information with riders.

But, like any popular tech innovation, adopting QR codes comes with risks and vulnerabilities for both transit providers and riders.

In December 2021, San Antonio police notified residents about suspicious QR codes plastered onto parking meters that phished personal information from anyone who scanned them. Sure enough, a similar scheme was discovered in Austin and Houston weeks later. Now the FBI has joined the conversation, warning the public about how a simple criminal tactic can lead to severe consequences for victims.

As a transit provider you may be saying to yourself, “This is why we can’t have nice things.” 

How to Protect Your Riders From QR Code Scams

While using QR codes as part of your service means your riders are susceptible to malicious activities like phishing or malware, there are topics and strategies you can use in your next rider safety communication plan to keep their personal data safe:

  • Be transparent about the data you collect. Tell riders what information you collect when they use a QR code to access the bus schedule or pay for a ticket. Data collection transparency will help riders identify questionable requests for their personal information after scanning a QR code. Why would you need a social security number to know when the next bus will arrive?
  • Encourage riders to use their built-in QR scanner. Smartphones have built-in QR scanners that are linked to the camera. These scanners will first display the URL before opening a website, which helps users identify whether or not the URL is malicious. Be wary of the hundreds of third-party QR scanners available on the App Store or Google Play. Many third-party QR scanners are glorified adware, and tend to sacrifice safety for speed by automatically taking users to a site without verifying the URL.
  • Educate riders about URL red flags. Phishing URLs may contain misspellings, strange domain names (e.g., dot-zyx instead of dot-com), and/or missing SSL certificates (i.e., when those “not secure” warnings pop-up on your browser). Explain these red flags next to your QR code so your riders can protect themselves.
  • Watch for signs of tampering.  If something looks odd — peeling, discoloration, placement — then it’s best to stay away. QR code phishing is a crime of convenience. Try to make it difficult for someone to tamper with your QR code. If your QR code is printed on a bus stop poster, place it in a frame so that it is easier for riders to see if a sticker has been placed over it.
  • Preach the importance of smartphone updates. While the tips above will boost your riders’ digital safety, the reality is that no one is perfect. One accidental push of a button can result in malicious code breaking through a strong digital defense. Smartphone software and apps with the latest security patches ensure that one-time accidents do not become permanent catastrophes.

Tell us how your transit system uses QR codes to inform your riders! Connect with us to learn about how safe and secure QR codes can be implemented into your transit system.