The use of QR codes is increasingly widespread throughout the world. Whether it is to consult a restaurant menu, validate a ticket to an event or obtain a vaccination certificate. This increase in their use has meant that fraudsters have adapted to use them in their crimes, it is what is known as 'QRshing', the result of combining QR and 'phishing'.
QR codes are still evolved barcodes that, after being scanned with a mobile device's camera, lead you to certain information located on the web or in a database. This information can be of any type, even sensitive to being used by criminals to appropriate people's money or personal data. Several types of scam have been detected using this method:
- Traffic fines with a QR that leads to a fake website where you can pay the penalty, although in the end it is the fraudster who receives the amount.
- The reverse QR scam: it is carried out when paying the bill to waiters. The alleged criminal shows the victim a QR code linked to his own bank, but in reality it is a request for money. In addition, in this way he manages to get hold of personal and bank details.
- Combination of the QR with other techniques, such as the installation of 'malware' ('malicious software') or web pages that impersonate real pages ('web spoofing') so that the victim provides personal data.
- Placement of stickers on top of the real QR code in a commercial establishment.
Given the increase in scams using this method, the Bank of Spain has published recommendations on its Banking Customer Portal to avoid falling into this type of fraud:
- Although it is not infallible, if the web page begins with 'https' it means that it complies with a minimum of security and protection.
- Take extreme precautions and check that the web link or url is not suspicious before opening it. If it is a shortened link, it is better to "lengthen" it before to verify it or not to open it.
- When we access a website that asks us for data, it is preferable to enter directly from the complete url or from the application itself.
- In the event that we are the owners of a company, check the QR that we make available to customers to verify that they have not been falsified.
- Use applications that allow you to see the link before opening it. In the case of Android we have the Google Lens 'app' (which is already pre-installed) or specific applications that can be downloaded from the Play Store. In iOS devices it is done from the camera itself, although the functionality must be activated.
According to the criteria of The Trust Project
