It has been over 30 years since Japanese auto manufacturing company Denso Wave first used the quick response (QR) code. Initially, QR codes were used for high-speed scanning and tracking of components during the assembly process. However, as it happens with every new technology or design, fraudsters found ways to misuse QR codes to dupe people.
Interestingly, QR code scams proliferated during the Covid-19 period, mainly for fraud related to vaccination. Fraudsters simply printed malicious QR codes and stuck them over the original ones available in public. The bogus QR codes pointed to malicious sites created by fraudsters, mainly seeking payments.
Earlier this week, while speaking at a cybersecurity programme organised by Moneylife Foundation, cyber and privacy lawyer advocate Dr Prashant Mali shared how fraudsters are dropping into inboxes a letter or intimation from courier companies about a missed parcel delivery. These letters have a QR code to 'access delivery options', which actually leads to a malicious website that asks for personal and other details, potentially intending to garner money.
A similar intimation, purportedly from DHL, is being shared on X by several people. When checked (under sandbox conditions, read: secure), the QR code scan leads to a website that asks to fill in the waybill number. The next page says, 'You have exceeded the number of attempts for this shipment. pls contact customer service'. The link to customer service opens an authentic-looking page showing different contact numbers, which may or may not be related to the courier company.
There are several examples of people who have become victims of QR code scams. One V Venkata Ramana says he received a phone call and SMS from a person who requested to return money wrongly deposited into his account by scanning a QR code.
In a warning, @Cyberdost, the official X handle of the National Cyber Crime Reporting Portal (NCRP), says, "Scammers may use QR codes to trick you into visiting fake websites or asking for your login details and a small payment. Always be cautious before scanning a QR code."
Let us first understand QR code and how you can save yourself from becoming a victim of QR code scams.
Basically, QR codes are just a series of black and white pixels arranged into a unique pattern that encodes a string of data or information. When scanned, the QR code pattern gets translated into human-readable information. Similar information can be obtained by using a linear arrangement in a barcode. However, you need a special device with a laser reader for barcode scanning. Also, since information is written both vertically and horizontally, QR codes can store more data compared with the linear design of barcodes. We will not go into the structure and patterns used in a QR code since it is technical information which is not required to understand scams.
While QR code as compatible technology has matured to provide new ways to engage customers, most QR codes (also called qcodes) are designed simply to transmit URLs or web links.
Scanning a QR code through the mobile camera lets you view a menu in a restaurant, get directions to a location in Google Maps, read more details about the product or service, download an app and initiate a payment transaction, among others.
Generally, QR codes are safe in terms of collecting personal data or hacking. However, a QR code is only as secure as the link it contains. Hackers can use malicious, spoofed QR codes to link people to dangerous websites containing phishing scams or drive-by malware that does not require any user interaction or authentication.
QR code scams involve the use of malicious QR codes to trick individuals into sharing sensitive information, downloading malware, or making unauthorised transactions. These scams exploit the convenience of QR codes, which are often used for payments, website links, or app downloads.
For example, in 2020, scammers fixed QR codes stuck on meters in Austin in the US, to pay parking charges. However, the QR code led to a fake portal that took payments and stole the card details of the users. The victims not only lost money and personal data but were also fined for illegal parking.
Here is how QR codes are used by fraudsters....
Malicious Links: Scammers replace legitimate QR codes with their own, redirecting users to phishing websites designed to steal personal information, credentials, or payment details.
Fake Payment Requests: Fraudsters use QR codes to request payments, often posing as legitimate businesses or service providers. Many cybercriminals, especially from India, pretend to have sent payment wrongly and demand a refund by scanning a QR code which allows them to siphon money from the victim's account.
Malware Downloads: Scanning a QR code could prompt the download of malicious software, compromising your device.
Overlay Scams: Scammers place fake QR code stickers over genuine ones in public places like restaurants or parking meters.
Here are a few suggestions to protect yourself from QR code scams...
Verify the Source
Ensure the QR code comes from a trusted and reputable source.
Avoid scanning codes from random flyers, posters, or unsolicited emails.
Inspect the QR Code
Look for signs of tampering, such as a sticker overlay.
If it's placed in an unusual location, question its legitimacy.
Use a QR Scanner with Security Features
Some apps show the URL before opening it, allowing you to verify its authenticity.
Avoid apps that automatically download files or initiate financial transactions.
Check the URL Carefully
After scanning, confirm the website address looks legitimate before taking any action.
Be cautious of shortened URLs in the QR code, as they can hide the true destination.
Avoid Sharing Sensitive Information
Never enter personal or financial details on websites accessed via unverified QR codes.
Legitimate organisations typically do not request sensitive and personal information via QR codes.
Use Secure Networks
Avoid scanning QR codes or performing transactions over public Wi-Fi.
Report Suspicious QR Codes
Notify the establishment or relevant authority if you suspect a QR code has been tampered with or replaced.
By staying vigilant and adopting these practices, you can significantly reduce the risk of falling victim to QR code scams.
Stay Alert, Stay Safe!
How To Report Cyber Fraud?
Do report cyber crimes to the National Cyber Crime Reporting Portal http://cybercrime.gov.in or call the toll-free National Helpline number, 1930. To follow on social media: Twitter (@Cyberdost), Facebook (CyberDostI4C), Instagram (cyberdostl4C), Telegram (cyberdosti4c).
If the fraud is related to your bank account, you need to immediately send an email to the official email ID of your branch (you can find it on the bank's website or your passbook) with a copy to the bank's customer care. Even if you have called the official number for customer care, you must still send an email describing your conversation with the bank executive, along with the time, date, and duration of the call. This will be helpful if you face a liability issue with the bank.
Also govt should also educate aam aadmi on this through media etc for normal person to not get fooled by spurious QR .When govt is pushing for digital payments then definitely one has safeguard from this menace and govt should step in and educate public on the usage and what safeguards ordinary person need to take before doing the payment by clicking on the QR code at the earliest before it becomes pandemic