
My name's Ellie. I'm a final year psychology uh PhD student here at Lancaster. My project is a little bit different kind of to what you might expect a psychologist to be studying, but I look at how people engage with QR code technology to understand how we could be vulnerable to QR code scams. So, I'm just going to start off by giving you a little bit of a warning as I do with every talk that I give because once you've spoken to me about my PhD project, you'll never look at QR codes in the same way. And you'll leave here today and you will notice that they are absolutely everywhere and even just in Rob's talk then how many QR codes were
on screen. So, so I'm just going to start off by giving you a little bit more information about QR codes and QR code scans. So QR codes have been around since the 1990s. They were created by Denzo Wave to make the tracking of vehicle parts more efficient during vehicle manufacturing. But with the COVID 19 pandemic, they had a bit of a resurgence where they facilitated a lot of contact services where that was in retail with um in restaurants ordering food or NHS track and trace. Since then their popularity has seemingly continued as kind of organizations had recognized their efficient and lowcost properties. Um so they are now kind of heavily integrated into our everyday digital environments
um and are involved with our personal and financial data. This makes them a very lucrative target for scams. So the QR code scam I'm going to be focusing on today is QR code fishing or quishing. And this happens when um the pattern of black and white pixels is altered to send users to an alternative fishing website that is designed to steal their personal or financial information um under a genuine guise. Um two really common examples of QR code scams are on screen and they are in car parks. So typically scammers kind of target public settings to you know get a a wide range of people basically. Um, so the image on the right is actually um
taken from the BBC and this was a woman who in the northeast of England went to pay for parking, scammed a malicious QR code and she lost £13,000. Just to show that this is not just a global issue, a national issue, this is also becoming a regional issue. And the image on your left is from taken from Living St. An's on the file coast. Action fraud reported that3.5 million pounds was lost to QR code fraud between April 2024 and April 2025. But that's obviously only people who reported it, right? This figure is likely to be a lot higher than that. Unlike other fishing methods such as email and text, QR codes lack fraudulent cues like grammatical errors and
spelling mistakes, making them very difficult to detect. This is obviously concerning for all users, but particularly um for older adults who can be more susceptible to technology based fraud and can find it quite difficult to navigate different digital interfaces. current approaches aim to kind of um attack QR code scams focus on the technology itself making it more secure whether that's through kind of digital watermarking or kind of encrypting the QR codes themselves or developing kind of secure QR code readers um and whilst this is definitely kind of an important avenue to develop you know technology is essential to our security there is a concern that these approaches might not be accessible for everybody so people
who have poor digital literacy skills. So for example, older adults. And this led Becca Bakatel in 2024 to propose a new user centered approach to QR code scams through the design of a QR code itself. So by adding additional features to QR codes like transparent backgrounds and um kind of illustrations and logos, we make it more difficult for scammers to simply cover up or copy a QR code and make it easier for users to detect signs of alterations. But there's a lack of empirical evidence of how effective these strategies are and in particular if people would even engage with QR codes that look different because if people don't use these QR codes it's um effectiveness is limited.
So this is the third paper of my PhD and it looked at investigating whether these kind of secure QR code presentations proposed by Becca um how people kind of engage with them. Do people like to scan these QR codes and whether individual differences in user demographics like age, um, gender, QR code experience influence how people scan them. To ultimately speak to kind of the main objective is actually can these QR code designs be used as a viable approach in the real world. So to do this I recruited 129 participants uh 65 um younger adults and six 64 older adults and they took part on campus. So before I go over the methodology of the study itself, I'll just kind of go
over the concept of the designs. So the genuine QR codes um kind of um incorporate some of the defensive strategies that Becca proposed. The first one is just a standard QR code. It's what we all typically know a QR code to look like. In this study, it very much acts as a bit of a control. The second one is a transparent um a QR code with a transparent background. And like I said, the easiest way for scammers to kind of catch us out is by sticking a fraudulent QR code on top of a genuine one. So the idea behind this is that by kind of having a QR code that initially has transparent background, someone comes along with a sticker with
a solid white background to it, it's easier for users to kind of identify that hang on, this might not actually be the initial QR code that is supposed to be here. Similar thing with kind of the safe logo design. So, by adding kind of a logo in the middle and a hat and kind of illustrations around it, we're not only making it look a little bit cooler, um, but we're making it harder for them to simply just cover up or copy. In our study, we also included fraudulent attacker tactics to see how people kind of engage with it. We really don't know how people are responding to kind of QR code scams. So, the first one
is a real basic attacker tactic. It's a stuck over QR code. This is the most This is the most common thing attackers do. In our study, it was actually physically overlaid, so there was signs of like a corner peeling, for example. The second one was a misaligned QR code. Now, this is to reflect that often, especially in public settings, scammers aren't hanging around long enough to get caught. So, the chance of them putting a QR code on that's perfectly aligned with the information already on there is quite slim and is something that users can look out for. The last one is a more sophisticated attacker tactic. So this is where attackers would try and kind of
copy what a legitimate company's doing with logos for example, but it's not quite been executed to the same uh same extent. So for example, it's hard for you to see on these slides, but um the logo is slightly blurry and of low pix uh pixel quality and the hat is actually behind the QR code itself, not incorporated in part of the design to kind of signify that there is an overlay QR code on top. It was a bit of a weird activity, but um participants came in and they were given an iPad. These QR codes were around the room and they were told that there was a series of QR codes. Some are genuine and
will give you points if you scan it, but some are fraudulent and will take points away. Your decision, your uh task today is to scan as many QR uh to scan QR codes around the room to get as many points as you can in the least amount of time. Two rules. They had to scan at least one of the six QR codes, but apart from that, it was completely up to them how many more they then chose to scan. And if they found that one was genuine, they couldn't scan the same one more than once. They were videoed during this activity so that we could monitor different levels of QR code engagement behavior. And um once they scan the QR code, they
had to input how confident they were that that QR code they chosen to scan was a legitimate one. Afterwards, we asked them kind of some short interview questions to understand what was going through their head when they were kind of choosing whether or not to scan QR codes. So, now on to the interesting bit, which is the results. Um, so no surprise, the standard QR code received the highest level of engagement at 91%. The primary reason for this, it was familiar, what people were used to seeing, which signaled trust and kind of that's why people wanted to scan it. The transparent QR code received less engagement. So just over 50%. The primary reason people did not want to
scan this QR code was actually concerns over its functionality. So they didn't think without the contrast of the white and black that a QR code would even work. So that's why they didn't bother scanning this at all. Others who did scan it just thought it looked quite professional. And if I'm honest, a lot of people actually didn't notice it didn't have a white background to it in the first place. The safe logo design um received slightly lower engagement. Again, some people thought it looked really professional and they quite like the quirkiness of it, but others again were concerned that by having additional things on the QR code, it would interrupt the code from working. Um, and
that kind of fostered feelings of uncertainty and they thought, "Yeah, no, I'm not sure." And they kind of just didn't trust it. Moving on to the um fraudulent results, and I have to admit, a lot more people scan the stuff over one than I was anticipating. So, over 50% of people still scan stuff over one. The primary reason because it looked like the ones they're used to seeing. It looked like the standard QR code, which is exactly what scammers go for. Some people did notice it was tampered with straight away and then immediately they were like, "Yeah, no, I don't like the look of that." The misaligned one received slightly lower engagement again. Um, some people straight away thought, "That
does not look professional. Why is it wonky? Why would someone put time and effort into creating something and it'd be wonky?" And they just walked away from it. Interestingly, some people put it down to human error. So, some people thought, "Oh, well, someone obviously just made a mistake." That is concerning because if people do that in real life, that could mean they're extremely vulnerable to QR code scams. And lastly, the mirrored logo actually received the lowest level of engagement. This is probably again to reflect the novelty that people just aren't quite used to seeing QR codes with kind of additional things as well as kind of concerns over the function of it. um other people
actually wanted to span it because um it contained the full university um title rather than just the crest and for them that signaled legitimacy. So in terms of our objectives, what does this tell us? So does QR code presentation affect QR code engagement behavior? Absolutely. people were significantly more likely to scan the standard um black and white QR code than any of the other five QR code presentations and they were more likely to scan it significantly earlier on in the task. They were immediately drawn to it because it was familiar to them. But the important thing is there was no significant difference between the other QR code designs. Whether that was QR codes that are designed to keep them
safe or QR codes that represented attacker tactics, people engaged with them in similar levels. Do individual differences in user demographics affect QR code engagement behavior? Although we did see discrepancies between kind of um older adults and younger adults engagement rates, this wasn't significant. So age, gender, or QR code experience didn't matter. People kind of scan them similarly. Most importantly, can these QR code designs reduce scam susceptibility? Well, our findings highlight that um users are less likely to scan QR codes that look different to a standard black and white QR code. Therefore, the effectiveness of this approach is fairly limited. Kind of speaking to participants and having that interview data, it suggested that in order for this approach to
become more viable, we need to expose users more to QR codes that look different so they become more familiar with them. We need to educate more people about QR code technology and how they work and how these kind of alternative designs work to kind of eradicate feelings of it's not going to work, therefore I'm not scanning it. Um because that's the only way you're kind of going to improve user engagement. What the study did highlight is people are really not aware of QR code scams. They don't know what they are. They don't know what to look out for. And this is concerning because Q the prevalence of QR codes is going to increase. QR code scams are going to
continue being a problem. Um, but also if you think about digital exclusion, right? If kind of the information that's delivered by QR codes is going to increase in the future, if people aren't willing to engage with QR codes, particularly older adults and those kind of populations, we're not just kind of excluding those people. Um, you know, but it also speaks to kind of the scam susceptibility. Um, do I think there is a one-sizefits-all approach when it comes to QR code solutions? No, absolutely not. User centered approaches like this are important and I do think it is an avenue that we need to develop because you don't need kind of specialized technological tools to to identify
tampering. But it does highlight that we do also need to kind of have a multifaceted approach of education to kind of talk to people about QR codes, tell them more about QR code scams. But we also need to make sure um the technologies out as well because you know are sophisticated. Um humans aren't kind of miracle workers. We do need the technology to back us up. Um I'd like to thank you for listening. Um I hope I've not put you off QR codes too much in the future and I'd be happy um to answer any questions either now or later on.
That was great, wasn't it? Um, we just got a few minutes before the next talk. So, so Ellie's happy to answer any any questions. Um, >> so I'm los to scan through our codes most of the time, >> but because they do show up now in the camera with URL, >> um, we'll probably scan what it says. >> Yeah. >> The problem with then is the QR codes will refer to a URL short >> which again takes away the clues that we might have. Look at say does that seem legit? >> Yeah. So any ideas on you know in the interfaces we use to scan those codes there's some way we can perhaps make that initial scan have something in it
that helps us recognize this is legit or not. >> Yeah. No that's a valid concern and that's what makes QR code scams so successful right you know there's constant barriers for us actually to be able to tell if it's legitimate or not. That is certainly one of them. Um there are kind of technological solutions or applications that have been developed to try and kind of show people the full URL. The issue we have is that scammers are bank like you know catching on to this. They will kind of use URL shorteners or they will use URLs that purposely are different to the actual destination of the QR code. It is important that people check a URL still
but we can't just be relying on what we see. You know this is where technology is going to have to improve that. Honestly, speaking to it, there isn't a technological solution there at the minute that is solving the problem, which is why we kind of need to look at avenues like the design of a QR code. Yeah, it's not going to solve everything, but even if it just makes you think, even a split second before scanning it, going, "Hang on a minute." Right? Just feel, this is my biggest advice, feel over the top of a QR code. You might seem really silly and no one else does it, but just run your hand over a QR code. Check that it is
actually part of the material it's printed on. If you feel a slight ridge, chances are it shouldn't be there. Does it look slightly wonky? Does how does it look with the overall presentation? Those are the cues that we need to do even before scanning it and those can kind of help us. But to speak to your question, I don't we don't have a solution at the minute. Um scammers are one step ahead of us with that. Um and are clever. We do need to develop strategies for that, but you'll be surprised through my research how many people actually don't even check a URL. They just go straight to it. Um, sorry we're running a little bit um
behind schedule. So if you got any questions fairly later all day um >> thank you so much again. Welcome