Security

Quishing: fraud with QR codes – what new scams there are and how you can protect yourself

By
September 6, 2024
Quishing: fraud with QR codes – what new scams there are and how you can protect yourself

Quishing is a QR code scam in which criminals try to direct users to fake websites and trick them into revealing private data.

Quishing: How the QR code scam works

The term “Quishing” is a combination of “QR”, or quick response, and “phishing”, or “fishing for information”. In this scam, fake QR codes are used to obtain money and sensitive data from potential victims. According to Section 263 of the Criminal Code, the perpetrators receive a fine or a prison sentence of up to five years for each fraud. Quishing takes place in the following four phases.

  1. QR codes are being distributed: Cybercriminals are increasingly sending fake QR codes not only via email, but also via SMS and WhatsApp messages and by post. Manipulated invoices and parking tickets are also appearing. Another new method is to cover up real QR codes with fake ones.
  2. QR codes are scanned: After easily scanning the fake QR code with a smartphone, a fake but deceptively real-looking website opens for the potential victims.
  3. QR data is stolen: On this fake website, users are tricked into entering their personal data, especially their bank details and login details. Whenever the victims actually reveal their sensitive data, the trap snaps shut.
  4. QR data is misused: With the stolen data, cyber criminals can then make purchases at the victims' expense or empty their bank accounts, for example by using online banking.

New quishing stitches

Cyber ​​criminals are using increasingly sophisticated tricks to steal the private data of unsuspecting people. These current scams using quishing are particularly common.

  • Fake postal letters: As a new scam, cyber criminals are sending perfectly faked letters that claim to be from the Association of German Banks or the Financial Group of German Savings Banks. Many customers consider these letters sent by Deutsche Post to be trustworthy and scan the QR code that comes with them.
  • Fake traffic tickets: In particular, people who park illegally receive deceptively real-looking parking tickets stuck behind their windshield wipers. To pay, you simply have to scan the fake QR code and follow the instructions there.
  • Covered QR codes: Real QR codes have been cleverly covered with fake ones on parking machines and electric charging stations. A particularly perfidious scam is one in which a fault is reported after the payment data has been entered. Only on the second attempt do the victims reach the operator's correct website and forget the first failed attempt.
  • Manipulated invoices: Hackers can hide fake QR codes in paper documents, especially in menus and invoices. Payment should only be possible using these QR codes. Highly inflated costs are deducted from the bank accounts of those affected, and not only on vacation.
  • Fake SMS and WhatsApp messages: Fraudsters are increasingly sending fake QR codes via SMS or WhatsApp. These messages are supposedly from well-known companies or public bodies. They claim that the recipients still have to pay their debts and use the QR code to do so.
  • Fake emails: In this long-standing scam, victims receive an email that appears to have been sent by banks or popular companies. Scanning the QR codes contained therein and typing in personal data is supposed to solve the fake problems.

How to protect yourself from quishing

Antivirus programs usually cannot detect fake QR codes. To detect these scams, you should use the following recommendations.

  • Remain suspicious. Unsolicited messages need to be checked particularly carefully and without stress. It is also important to check whether QR codes on charging stations or parking machines have been covered up. Remember that the scammers want to steal your money above all else.
  • Only scan trusted QR codes. If you receive QR codes from unknown or unsafe sources, you should check the sender carefully. Calling the official phone numbers and those not provided by the fraudsters will usually provide clarity.
  • Check the Internet address (URL). First, check the URL of the website you are being redirected to. Newer smartphones help with this by automatically displaying the URL before opening the new website.
  • Use a QR code scanner app. For other smartphones without this built-in function, you should use an appropriate app to communicate the URL in advance.
  • Verify the authenticity of the website displayed. Cyber ​​criminals are developing increasingly better methods to make the fake websites look deceptively real. The original websites of the supposed senders are ideal for verification.
  • Do not click on any links on the new websites. Using unknown links on the websites that open can cause viruses to get onto your smartphone. In extreme cases, criminals will lock your phone and try to extort large ransoms. Therefore, you should check suspicious links beforehand.
  • Do not disclose confidential information. Please note that banks, savings banks, public institutions and payment services never request personal data via websites and QR codes. So you must not type bank details, passwords, email addresses, etc. into the websites that open.
  • File a report. In particular, you should report not only all attempts at fraud using QR codes, but also any suspected fraud to the police. The more criminal complaints are collected, the more effectively the relevant authorities can convict the criminals.
59
Share:
About author

As a tech enthusiast and writer for votoh.com, I focus on providing practical solutions for common issues related to iOS, Android, Windows, macOS, Office, Smart TVs, software, games, and hardware. With a passion for simplifying technology, I aim to make complex topics accessible to everyone, offering tips and troubleshooting advice to help users navigate the digital world with ease.