The scam starts with someone putting an item on an online sale website. That’s when the fraudsters pose as buyers and share the QR code to pay an advance or token amount. They then create a QR code and share it with the intended victim through WhatsApp or email.
Perhaps, their widest use is in the contactless payment ecosystem – ‘Scan the QR code below and pay’. A QR (Quick Response) code is a two-dimensional barcode that is easily read by smartphones – all you need is a camera and an app to read the code. While over-the-counter scanning poses less of a risk, scammers have found new, creative ways of deception. One way of doing this is by sending people texts like – ‘Congrats on winning Rs 20,000’ along with the picture of a QR code. The message will urge you to scan the code, enter the amount, followed by your UPI PIN to ‘receive’ the cash in your account. In this scam, gullible people believe that this will credit money in their account, but this does just the opposite. You don’t end up ‘receiving’ but actually ‘paying’ the fraudster the amount.
Another tactic is by embedding fake QR codes into a phishing email, text, or via social media. Upon scanning the bogus code, users are directed to websites with realistic-looking landing pages, where the victim may be prompted to log in by entering PII (personally identifiable information).
Public QR codes (like at fuel stations or kiosks) also pose a problem as cybercriminals may swap them by replacing their own QR codes over genuine ones to make money flow into their account. The problem is, there is no way of reading the information contained inside the code before exposing the device to the unsuspecting fraud. It’s critical to pay close attention, even to small details while making payments or transactions using QR codes. It is best to pay using these, only insecure and familiar environments. Remember that the risks of scanning an unknown QR are like clicking on links in unknown messages – treat a QR code like any other link – don’t follow it if you don’t fully trust the source. Once you scan the QR, a pop-up to view its embedded URL must emerge. If there is no URL, or if it seems like a shortened one (like bit.ly) – be cautious. It’s best to install a QR scanner that checks or displays the URL before it follows the link.
Immediately contact your bank and have them change your login credentials. You may also consider contacting the police and registering a formal complaint with the cyber cell or even an online complaint on the National Cybercrime Reporting Portal – cybercrime.gov.in.
Although the QR codes themselves are a secure and convenient mechanism, we expect them to be misused by cybercriminals in 2021 and beyond. Knowledge of QR code fraud may lag significantly today, but vigilance on our part will ensure the difference between the QR code being scanned and us being scammed.