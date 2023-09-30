“If QR codes allow the user to directly access content or external web pages through the Internet when they are scanned by the mobile phone camera or through specific applications for this activity; the genesis of QRishing lies in the unification of the terms.” QR’ and ‘phishing'”.

With the great fame and use that the QR code (Quick Response) is gradually gaining, which is increasingly seen on restaurant menus, rental of electric scooters and bicycles or PDF readings, It seems more than logical that the problems of new hacks and theft of private data also arise.

To contextualize, QR codes are those square images with a series of black and white codes that you see in newspapers, restaurant menus, brochures, the Internet, etc. and when you scan them they redirect you to a website, save contacts or open applications. Usually, A QR code stores a URL and other related information.

QRishing, which is how the scam that uses these images is known, is the simple way that some people take advantage of a QR code to steal private information, install malicious software on a device or direct a person to an unsafe website with quite a few bad intentions. QRishing translates to what everyone already knows as phishing but with the use of QR codes.

“In relation to the techniques used by this type of scammers, it should be noted that QRishing is on the rise thanks to the use of social engineering tactics, given that the success of QRishing depends on issues such as user trust, custom and massiveness. with which QR code scans are treated and the difficulty of distinguishing legitimate codes from those that are not,” they explain in an interview for Computer Hoy Raquel Puebla and Itxaso Reboleiro, cybersecurity analysts at Entelgy Innotec Security.

For example, the attacker may leave leaflets at a bus stop, on restaurant tables, or even via email. When a person scans the QR code with his phonethinking that it is something interesting to consult or a menu, a URL, an image or a map with directions to get to a place, among other things, will be displayed.

“The most common thing is that these codes are inserted in busy and easily visible places, such as streetlights and posts on avenues, since curiosity could cause people to access them. It is also common to use them in places whose scanning could involve a incentive for the user, such as in busy restaurants, private vehicles and sustainable public transport services, given that the use of QR codes to undock bicycles, among others, is becoming popular,” they add.

From here, scammers rely on their technological capabilities to trick victims into sharing sensitive data.. The trick is that they know perfectly what techniques to use to get your attention and make you fall.

“The main risks related to QRishing consist of the collection of valuable information using lures of interest to the user, given that this cyber threat is still an aspect or variant of phishing, which in turn could lead to bank fraud, impersonations or even extortion and blackmail in the case of access to especially sensitive information (such as intimate photographs, for example); as well as the installation of fraudulent mobile applications or malware,” the experts comment.

EMT

For example, and without going any further, if you live in Madrid or belong to the area, you have surely heard the scandal generated precisely by a scam related to QR codes, specifically with BiciMAD, the city’s bicycle rental service.

In this case, some QR codes have been fraudulently replaced and, instead of taking you to the official website, they take you to a different one that asks you for money if you want to rent the bike, keeping it for themselves.

“Another well-known example of QRishing is the case of American parking meters, since in 2022 fake QR codes were placed in the parking meters of different cities in the nation that allowed cybercriminals to steal the payment details of the users of these devices, with which later unauthorized banking operations could be carried out. In 2022, the World Cup in Qatar also served as a decoy to spread QRishing cyber threats,” the experts exemplify.

Don’t get caught: QR code scams can be avoided

To protect yourself against QR scams, It is important to follow some good practices:

Check the source: Before scanning a QR code, make sure it comes from a reliable and legitimate source, although you have already seen that it can still be snuck up on you. Make sure that the web address, if not shortened, begins with https://. Use a secure QR reader: use a reliable QR code reader app on your mobile that can detect malicious links or websites. Do not share personal information: Be careful when providing personal or financial information after scanning a QR code, and make sure the website is secure and authentic. These are usually inserted to provide information, so if you are not 100% sure, avoid entering passwords, emails, names…etc. Update your software: keep your phone and its applications updated to protect against known vulnerabilities. Report scams: If you find a QR code or QR scam campaign, report it to the authorities or the company that could be being spoofed.

“Attention must be paid to the purpose contained in the QR, given that, for example, if what you want is to view the menu in a restaurant, it would not make sense for the QR to lead to the download of an application. Furthermore, it is convenient distrust or even reject information cards and brochures that contain QR codes and that are distributed by strangers, since it is impossible to determine their real purpose. Likewise, you should not scan any QR code located in places that should not host them for no apparent reason. and that they are found by the user at random” conclude Raquel Puebla and Itxaso Reboleiro.