Small Business Alert: Prevent QR‑Overlay, Fake Invoices & Payment Redirects

Why small businesses should care now

Scammers have weaponized QR codes and supplier impersonation to steal payments from small businesses. "Quishing" (malicious QR codes) surged recently and has been flagged by multiple security trackers and news outlets as a fast-growing vector for phishing and direct payment theft.

At the same time, Business Email Compromise (BEC) and vendor‑invoice fraud — where attackers request payment to a new bank account or altered payment details — continue to cause large losses across organizations of all sizes. The FBI and financial regulators emphasize verifying any change to vendor payment instructions through independent channels.

This guide gives small businesses practical, low‑friction safeguards you can implement today: quick checks for QR codes, an invoice‑change verification flow, email red flags to watch for, policy templates, and immediate response steps if you suspect fraud.

Core safeguards: Preventing QR‑Overlay and Quishing

Physical and digital QR codes are easy to tamper with or replace. Use these controls to reduce risk:

• Treat all unsolicited QR codes as untrusted. Never scan a QR code embedded in an unexpected email or SMS. For printed codes (menus, posters, labels), check for fresh stickers or uneven edges that indicate an overlay.
• Use tamper‑evident QR labels and signage. Apply tamper‑proof stickers or place codes in sealed frames where overlays are visible. Rotate printed codes periodically and avoid single, permanent placements for payment links.
• Lock down POS QR destinations. Where possible, host payment landing pages on domain names you control and use short, fixed URLs that match your branding. Avoid service providers that allow dynamic redirects without a contract or audit log.
• Scan‑safely workflows. Train staff to check the URL that appears after scanning before entering credentials or submitting payments. If a QR leads to a sign‑in page, pause and verify the sender via a known phone number or portal first.

Security and news outlets have documented notable quishing incidents and recommend treating QR scans the same way you treat clickable links: verify before authenticating or paying.

Vendor‑Invoice & Payment‑Redirect Controls (practical checklist)

Vendor payment redirect scams exploit routine bookkeeping processes. Implement the following verification flow to stop fraudulent changes before funds move.

Mandatory controls (apply to every payment over your risk threshold)

1. Two‑person approval: No wire or ACH > threshold (set a number appropriate for your business) should be sent without review and approval from two authorized people.
2. Out‑of‑band verification: If a vendor requests a change to bank details, verify using a phone number from your vendor master record (not the phone number in the invoice email). Call a previously used number or visit the vendor portal to confirm. FinCEN and other advisories specifically recommend multi‑channel verification for payment instruction changes.
3. Vendor onboarding & re‑verification: Keep a verified vendor contact file with authorized approvers and account numbers; re‑verify annually or after any long inactivity.
4. Invoice validation checklist: Check for mismatched invoice numbering, unexpected rush language, generic greetings, or slight domain typos in sender addresses. If in doubt, ask for a PDF of the original contract and verify via phone.
5. Lock payment channels: Prefer ACH with memos or invoice IDs (rather than wire transfers) where dispute and reversal paths exist. Ask your bank about fraud‑hold features and confirmation windows.

Quick email/technical checks

• Inspect email headers for domain inconsistencies and check SPF/DKIM/DMARC pass/fail where available in your mail client or security gateway.
• Be suspicious of replies from new addresses that otherwise look like existing vendors (look for extra characters, homograph tricks, or one‑letter differences).
• Keep vendor directories in a central, access‑controlled system and avoid ad‑hoc spreadsheet edits that bypass approvals.

One‑page verification table (use at point of payment)

Industry banks and fintechs publish similar step‑by‑step advice — for example, business finance blogs and payments providers recommend explicit phone verification for any change to payment routing.

Incident response: If you suspect a scam

Act quickly — time increases the chance of recovery.

1. Stop further payments.
2. Contact your bank immediately.
3. Report the crime. File a complaint with the FBI IC3 (Internet Crime Complaint Center) and your local FBI field office for BEC or large losses; report scams and consumer/business‑targeted fraud to the FTC.
4. Preserve evidence.
5. Notify affected vendors.

Sample verification script (email/phone)

Use a short, consistent script when verifying: “Hello [Vendor name], we received an invoice dated [date] asking us to pay to a different bank account. We’re calling to confirm this change. Can you confirm the bank account and the person who authorized it?”

Finally, train staff and run short phishing/quishing drills quarterly. Make the verification flow friction‑minimal for honest vendors but mandatory for any payment‑detail changes. Regulatory guidance and industry advisories repeatedly emphasize independent verification as the most effective prevention for these scams.

Where to get help and report: FTC consumer/business resources (scam guidance and reporting) and the FBI/IC3 for law enforcement escalation are primary reporting routes for U.S. businesses.

Takeaway: Make verification routine — not optional. A short, enforced checklist for any payment‑detail change combined with tamper‑evident QR practices and basic email hygiene will stop most quishing and vendor redirect attempts before money moves.