QR code scam can clean out your bank account

QR code scams are making a comeback

Just when we thought the QR code was on its way out, the pandemic has led to a return of the scannable shortcut. COVID-19 has meant finding a digital equivalent to things normally handed out physically, like menus, tour guides, and other paperwork, and many organizations have adopted the QR code to help with this. And so, it would seem, have criminals. Scammers have dusted off their book of tricks that abuse QR codes, and we’re starting to see new scams. Or maybe just old scams in new places.

What is a QR code again?

A quick recap for those that missed it. A Quick Response (QR) code is nothing more than a two-dimensional barcode. This type of code was designed to be read by robots that keep track of items in a factory. As a QR code takes up a lot less space than a legacy barcode, its usage soon spread.

Smartphones can easily read QR codes—all it takes is a camera and a small piece of software. Some apps, like banking apps, have QR code-reading software incorporated to make it easier for users to make online payments. In some other cases, QR codes are used as part of a login procedure.

QR codes are easy to generate and they are hard to tell apart. To most human eyes, they all look the same. More or less like this:

QR code

Why are QR codes coming back?

For some time, these QR codes were mainly in use in industrial environments to help keep track of inventory and production. Later they gained some popularity among advertisers because it was easier for consumers to scan a code than to type a long URL. But people couldn’t tell from a QR code where scanning would lead them, so they got cautious and QR codes started to disappear. Then along came the pandemic and entrepreneurs had to get creative about protecting their customers against a real life virus infection.

To name an example, for fear of spreading COVID-19 through many people touching the same menu in a restaurant, businesses placed QR codes on their tables so customers could scan the code and open the menu in the browser on their phone. Clean and easy. Unless a previous visitor with bad intentions had replaced the QR code with his own. Enter QR code scams.

Some known QR code scams

The easiest QR code scam to pull off is clickjacking. Some people get paid to lure others into clicking on a certain link. What better way than to replace QR codes on a popular monument, for example, where people expect to find background information about the landmark by following the link in the QR code. Instead, the replaced QR code takes them to a sleazy site and the clickjacking operator gets paid his fee.

Another trick is the small advance payment scam. For some services, it’s accepted as normal to make an advance payment before you can use that service. For example, to rent a shared bike, you are asked to make a small payment to open the lock on the bike. The QR code to identify the bike and start the payment procedure is printed on the bike. But the legitimate QR codes can be replaced by criminals that are happy to receive these small payments into their own account.

Phishing links can just as easily be disguised as QR codes. Phishers place QR codes where it makes sense for the user. So, for example, if someone is expecting to login to start a payment procedure or to get access to a certain service, the scammers may place a QR code there. We’ve also seen phishing mails equipped with fraudulent QR codes.

The email shown above instructed the receiver to install the “security app” from their bank to avoid their account being locked down. However, it pointed to a malicious app outside of the webstore. The user had to allow installs from an unknown source to do this, which should have been a huge red flag, but still some people fell for it.

Lastly, there’s the redirect payments scam, which was used by a website that facilitated Bitcoin payments. While the user entered a Bitcoin address as the receiver, the website generated a QR code for a different Bitcoin address to receive the payment. It’s yet another scam that demonstrates that QR codes are too hard for humans to read.

How to avoid QR code scams

There are a few common sense methods to avoid the worse QR code scams:

  • Do not trust emails from unknown senders.
  • Do not scan a QR code embedded in an email. Treat them the same as links because, well, that’s what they are.
  • Check to see whether a different QR code sticker was pasted over the original and, if so, stay away from it. Or better yet, ask if it’s OK to remove it.
  • Use a QR scanner that checks or displays the URL before it follows the link.
  • Use a scam blocker or web filter on your device to protect you against known scams.

Even if the mail from a bank looks legitimate, you should at least double-check with the bank (using a contact number you’ve found on a letter or their website) if they ask you to log in on a site other than their own, install software, or pay for something you haven’t ordered.

As an extra precaution, do not use your banking app to scan QR codes if they fall outside of the normal pattern of a payment procedure.

Do I want to know what’s next?

Maybe not, but forewarned is forearmed. One method in development to replace QR codes on Android devices is the Near Field Communication (NFC) tag. NFC tags, like QR codes, do not require an app to read them on more modern devices. Most of the recent iPhones and Androids can read third-party NFC tags without requiring extra software, although older models may need an app to read them.

NFC tags are also impossible to read by humans but they do require an actual presence, i.e. they can’t be sent by mail. But with the rise in popularity of contactless payments, we may see more scams focusing on this type of communication.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.