“Excuse me sir, can I ask you for a favor? I want to pay for parking my car in this spot, but there are no machines around that accept cash. If I give you five dollars in cash, can you pay the parking for me? All you need to do is scan this QR code with your banking app.”

Of course, John felt the need to help this person, but since no good deed goes unpunished, he came home only to find that every penny he had in his bank account had vanished. So, all he had to last him through the rest of the month was the fiver in his wallet.

A week ago, one of the Netherlands' local police departments issued a warning that this type of scam was making the rounds. Meanwhile, two suspects have been apprehended after robbing dozens of people and amassing tens of thousands of Euros.

As far as the police know, these scammers have been active in two cities so far. They left the first city behind when the police started to hand out flyers about the parking scam. And they were caught red-handed in the second city. It may have helped that some of the potential victims had read the warnings by police on social media. These were issued along with warning signs posted on the parking lots and flyers handed out that provided details about the scammers and a request to call the police if anyone saw them at work.

But in case criminals using this tactic are active in other European or US cities, we wanted to bring this particular scam into light.

What is a QR code exactly?

A QR (Quick Response) code is nothing more than a two-dimensional barcode. This type of code was designed to be read by robots that keep track of produced items in a factory. As a QR code takes up a lot less space than a legacy barcode, its usage soon spread.

Modern smartphones can easily read QR codes, as a camera and a small piece of software is all it takes. Some apps, like banking apps, have QR code-reading software incorporated to make it easier for users to make online payments. In other cases, QR codes are used as part of a login procedure.

QR codes are easy to generate and hard to tell apart from one another. To most human eyes, they all look the same. More or less like this:

UL to my contributor profile here

Even if we can spot any differences, we are unable to see what they stand for, exactly. And that is exactly what this scam banks on. To us, they all look the same—one payment instruction for five dollars looks just like any other.

How does this scam work?

Basically, it does the same as when you would enter your login credentials on a banking phish site. The scammers used social engineering to con victims into allowing them to scan the QR code on their own phone. By doing so, the victims provided the scammers with the login credentials to their banking environment.

With those in hand, it's easy for the threat actors to make some payments on your behalf—into accounts under their control, obviously. It is likely that they used money mules to convert those payments into cash they could then spend freely without raising suspicion.

Other QR scams

Besides the fake banking environment scam, there have been reports of QR codes that were rigged to download malware onto the victim’s device. Also, criminals have been known to replace public and unguarded QR codes with their own so that payments would flow into their pockets.

For example, in China where bike-sharing is immensely popular and you pay in advance to unlock the bike, it can be profitable for criminals to replace the QR codes on a large number of bikes with some of their own. This could bring in a lot of (small) payments into the threat actor's account, and many potential bike renters would shrug it off when the bike fails to unlock and move on to the next one to try their luck.

How can I protect myself?

There are a few things users can do to keep safe from QR code scams:

  • If you are using QR codes to make a payment, pay close attention to the details shown to you before you confirm the payment.
  • Use QR code payments only in circumstances that you consider normal. Don’t be rushed or talked into paying in a way that you are not completely familiar with.
  • Alarm your bank and work with them to change your credentials as soon as you suspect foul play.
  • Treat a QR code like any other link. Don’t follow it if you don’t know where it originated from, or if you don’t fully trust the source.
  • If you are using a QR code scanner or thinking about installing one, consider using one that uses built-in filters. Or, you can use it in combination with security software that blocks malicious sites, because every QR code scanner I have seen automatically takes users to the link it reads from the QR code.

To users, QR codes offer an advantage over having to type out a full URL in a browser address bar on their device. So to advertisers, this results in a higher turn-around and forgoes the need to use URL-shorteners.

But QR codes have one problem in common with the shortened URLs: Users cannot immediately see where the link is going to lead them. And that is where the problem lies and what offers criminals the chance to abuse the technology.

Luckily for John, his bank reimbursed him for the damages, but you can imagine the hassle he had to go through and how stupid he felt for falling for such a scam. But not every bank in every country will reimburse you fully for being scammed, so other victims may end up drawing the short straw.

Stay safe, everyone!