Scammers Replace QR Codes to Steal Money and Data

Convenient and easy to use, QR Codes have become a popular alternative for faster access to services, information and payments. However, care must be taken to identify codes manipulated by scammers, which can lead to the unintentional sharing of confidential, banking data and sending money to fraudsters.

Codes, physical or digital, are no more reliable than links. Translated from English as a quick response code, the QR Code is quickly scanned by the camera of most smartphones, which can make it difficult for the user to realize that he is accessing a malicious address.

“When most people see a QR Code, their first instinct is to scan it, and they usually don’t take the time to think about what they’re doing. Scammers rely on it,” says Len Noe, an expert at the security firm. Cyberark.

But physical and digital QR Codes can be manipulated or replaced by people or malware, malicious programs that affect smartphones, tablets and computers.

“Anyone can place a malicious QR Code sticker”

“In general, keep in mind that in a public place, anyone can place a malicious QR Code sticker,” warns Noe, a hacker who ethically identifies vulnerabilities (called a “white hat hacker”).

A QR Code for payment in a commercial establishment, for example, can be superimposed by a sticker that leads the user to transfer the money to another account.

The expert also points out that anyone can download company and government logos from the internet or manipulate physical codes, so that is not what gives authenticity to an offer or payment slip.

There are still other, more subtle ways, used by scammers. Emilio Simoni, chief security officer at Psafe, reports the existence of malicious programs that can infect the computer, cell phone or tablet and from there, automatically replace legitimate codes.

“Your computer is infected with malware, and it identifies that you are opening something for payment, such as a boleto in an email, and it exchanges that QR Code or boleto on your computer”, explains Simoni.

In this case, he recommends having protection programs for the device, which prevent, for example, malicious programs from acting. “It is always valid to have protection systems installed, especially on the cell phone, which today our whole life is inside it, banking data, social networks, everything.”

Fake codes can lead to fake websites

Fake codes can lead to sites similar to the one you want, simulating social networks or online banking. To detect the scam, it is recommended to pay attention to the link displayed when scanning the code.

“For example, if the URL has been shortened, it is a red flag, as with this type of code, there is no compelling reason for shortening”, says Fabio Assolini, Kaspersky’s director of research and analysis for Latin America.

At the beginning of the year, the company identified scams involving the sending of fake tickets, copying the visual identity of companies, using customer data obtained through leaks and offering payment through QR Code.

“Cybercriminals imitate the look of invoices or websites of real companies, create emails that simulate official ones and, like companies, offer discounts for payments via QR Code. The victim then opens their banking application, enters the Pix option, scans the fake ticket QR Code and confirms the payment”, explains Assolini.

In this case, the tip is to check the name of the account holder for the payment. After scanning the code, the recipient’s data appears on the screen and, in case of fraud, the account holder will have a name different from the company’s corporate name.

Carlos Afonso Gonçalves da Silva, divisional delegate of the São Paulo Police, recommends checking the DDA (Authorized Direct Debit) of the banks: “It’s that tab where the ticket goes via bank directly to the customer through the banking application. managed to defraud this system until today.”

See FBI Tips to Protect Yourself

In January 2022, the FBI (the US federal police) issued an alert for scams using QR Codes.

See FBI tips to protect yourself from QR Code scams:

• check if the website address indicated by the QR Code is the legitimate one
• check if physical codes have been manipulated, such as with a sticker pasted over the original code
• download apps directly from the mobile store, not through QR Codes
• if you receive an email reporting a recent payment failure, please call the company to confirm before paying; use the phone number provided on official channels.
• use native QR Code scanning apps
• when you receive a code from someone you know, contact a reliable number or address to verify
• avoid making payments through QR Code sites; instead, enter the confirmed address manually.

What to do if you fall for the QR Code scam?

Deputy Thiago Chinellato, from the Cyber ​​Crimes Division (DCCIBER) of the Civil Police of São Paulo, recommends that you file a report at the electronic police station.

“From there, it will be distributed to police stations, or on a territorial basis, or if it is a highly complex case, it will go to the Cyber ​​Crimes Division for the police to try to identify who the fraudster is”, he explains.