There is always a strong desire for community players in the anti-fraud industry to share the latest groundbreaking trends and report on the sensational. The thing is, most of the time, fraud trends are evolutionary, not revolutionary. It’s more common to hear about a slight change in the tactics of a fraudster rather than hear about a novel fraud kill chain.
So it was hardly surprising when the Australian government posted a brief earlier this month on the use of QR codes in phishing campaigns which prompt users to download malicious content capable of gaining access to their device. Ironically, the government notice was issued at the same time phishing attributable to recent attacks on government sites was being reported.
The common element between these two reports is that phishing works, and the more the bad actor can obfuscate the true destination or payload, the greater success rate a phishing campaign will see. These attacks are not new and have been going on for quite a while. A favorite flavor, which has been around for at least a decade, was Brazilian Boleto fraud, the practice of using manipulated bar codes for utility invoices to have real time payments sent to fraudster controlled accounts.
What’s notable about this case study is that it’s been on the irrevocable instant payment channels like so much of the authorized push payments, P2P and Faster Payments rails. So, who exactly is the new kid on the block?
Quishing Fraud Use Cases
Quishing refers to deceptive practices that involve the use of fraudulent or malicious QR codes. QR codes, or Quick Response codes, are two-dimensional barcodes that can store information, such as website links, contact information, or payment details. They are commonly used for various purposes, including making payments, accessing websites, and exchanging contact information. And this is already a growing global threat, with a new study revealing that nearly one in four phishing attacks contained a QR code linked to malicious content. In India, over 20,000 cases of fraud related to QR codes in Bangalore alone were reported in a six year period.
QR code fraud can take various forms, and here are some potential use cases:
- Phishing Attacks: Fraudsters may create QR codes that link to phishing websites. When individuals scan these QR codes, they are directed to fake websites that imitate legitimate ones, tricking them into entering sensitive information such as login credentials or personal details.
- Malware Distribution: Malicious QR codes can be designed to trigger the download of malware onto the user's device when scanned. This malware may compromise the security of the device, steal sensitive information, or perform other malicious activities.
- Payment Fraud: Criminals may create fake QR codes for payments, leading individuals to transfer money to the fraudster's account instead of the intended recipient. This can happen in various scenarios, such as in-store transactions or peer-to-peer payments. Here’s one example of it in Texas, USA.
- Data Interception: QR codes may be tampered with to redirect users to a different destination than intended. This can be used to intercept sensitive information being transmitted between the user and the intended destination.
How to Avoid QR Code Scams
As we head into the holiday season, traffic in stores, restaurants, airports, and many other public places will be burgeoning with people. Or for those who prefer the shopping experience from the comfort of their living room, there will be no shortage of coupons, deals, sweepstakes, emails, and other unsolicited messages trying to get consumers' attention. Fraudsters are waiting and ready to take advantage.
When coming across a QR code, whether in a public place or online, individuals should be using an elevated amount of caution. Be careful what you scan, especially anything received from unsolicited or untrusted sources. It's always important to reinforce the value in verifying the source of the QR code, ensure that it is from a legitimate and trustworthy entity, and be cautious when entering personal or financial information. Performing that extra due diligence goes a long way.
However, as with all consumer awareness campaigns, this will not be enough of an action isolated from other controls. As we’ve observed in the past, people will still take the bait. Certainly, there will be plenty of attempts that will be successful, so these scams and high-risk destinations may need some additional controls to protect consumers in the regional environments that have QR code exposure via online banking.
While QR codes are a convenience item that is likely here to stay, we should be looking to enable the use of these links and channels to provide the latest Faster Payments channels with elevated confidence that they are safe to use. Institutions who deploy controls that are effective in detecting high risk payments from evolutionary scam types will be rewarded by customer stickiness and a resilient brand.