QCOSTARICA — If you’re in the habit of scanning QR codes in public places, it is best to think twice before doing so, or at least make sure that they have not been violated in some way, as this could open a loophole for cybercriminals to access your cell phone and empty your bank account.
Yes, you should definitely take a second to think before you do so.
This method of known as ‘‘‘QRishing” or “skimming”, whereby criminals use a device placed in ATMs or other locations to access credit card information.
The ‘modus operandi’ basically consists of locating a QR code in a public place and subtly placing a sticker with a false code over a real one, which when scanned redirects the victim to a website that automatically introduces a malicious program such as ‘spyware’ into the mobile phone.
By trusting that you are entering a legitimate website, whether to view a restaurant menu or participate in a store promotion, for example, the virus manages to enter and infect the device, being able to steal sensitive data such as email and banking platform credentials and documents stored on the mobile device, ie a smartphone or tablet.
The 5 steps ‘QRishing’
- The cybercriminal replaces a valid QR code with a counterfeit one, usually by way of a sticker
- When scanned, the QR will redirect to a website pre-established by the hacker and with characteristics that allow the user to be deceived through social engineering techniques.
- Having entered the device, a malicious script program is downloaded, making it almost impossible for the victim to detect.
- Once the spyware virus has been planted, it is capable of reviewing bank transactions and any action that the user takes on their phone or tablet.
- Finally, by seizing credentials (ie login information, PIN) and any other sensitive information, the theft of funds in accounts and software blocking, among others, can be committed.
How to avoid becoming a victim
Of course, not everyone would scan a random QR code without an incentive or a caption explaining what they can expect to see. So cybercriminals often find another way to get people interested.
Scanning and reading a QR code mostly requires two things: a camera and a browser to follow the information in the QR code. As it’s so simple, that means it’s simple to avoid falling victim too.
- Block camera access on your device. Having an always-activated camera can also make it easy for you to scan a QR code without giving it a second thought.
- Make sure to keep your software up to date. That way, you can avoid the risk of hackers finding weak spots in the apps or operating system you use without you even knowing.
- Think it over before scanning. There’s no need to scan every QR code you come across.
The good thing is that QRishing is less common than other types of phishing because an attacker would need to invest some effort into distributing the malicious QR code. However, this form of phishing is relatively new, and not many people know about it.