Written by Venkat Krishnapur
The scannable shortcut we almost bid farewell to, has made a dramatic comeback, all thanks to the global pandemic. Yes, you guessed right – I’m talking about QR code. Social distancing guidelines and trends like ‘contactless-everything’ have popularised the pixelated mosaics and their slick, simple use only makes their case stronger. From being introduced in the 1990s to simply track product inventory, their versatile use has brought them a long way – from scannable restaurant menus, to customer engagement with brands, and even faster airport check-ins.
Perhaps, their widest use is in the contactless payment ecosystem – ‘Scan the QR code below and pay’. A QR (Quick Response) code is a two-dimensional barcode which is easily read by smartphones – all you need is a camera and an app to read the code.
All that’s great, but here’s where my concern begins – they may be pretty simple to generate, but identifying what’s hidden in them, is the hard part. While they have emerged as a convenient way to promote contactless technology, users lack the necessary knowledge on how to spot a fraudulent one.
New forms of payment mean more scope for confusion
While over-the-counter scanning poses less of a risk, scammers have found new, creative ways of deception. One way of doing this is by sending people texts like – ‘Congrats on winning Rs 5,000’ along with the picture of a QR code. The message will urge you to scan the code, enter the amount, followed by your UPI PIN to ‘receive’ the cash in your account. In this scam, gullible people believe that this will credit money in their account, but this does just opposite. You don’t end up ‘receiving’ but actually ‘paying’ the fraudster the amount.
Another tactic is by embedding fake QR codes into a phishing email, text, or via social media. Upon scanning the bogus code, users are directed to websites with realistic-looking landing pages, where the victim may be prompted to login by entering PII (personally identifiable information).
A forged QR code also has the potential to connect to unsecured Wi-Fi network or automatically navigate to a malicious link. Phoney codes may also take you to websites where malware can be automatically downloaded and used to steal sensitive information from your device, or even transfer spyware or viruses.
Public QR codes (like at fuel stations or kiosks) also pose a problem as cybercriminals may swap them by replacing their own QR codes over genuine ones to make money flow into their account. The problem is, there is no way of reading the information contained inside the code before exposing the device to the unsuspecting fraud.
Up your defences
While this type of fraud is relatively unconventional, the technicalities of QR codes are somewhat of a mystery to most users, making them potentially dangerous. Our predictions for 2021 highlight that hackers will increasingly use these QR schemes and broaden them using social engineering techniques.
It’s critical to pay close attention, even to small details while making payments or transactions using QR codes. It is best to pay using these, only in secure and familiar environments. Remember that the risks of scanning an unknown QR are like clicking on links in unknown messages – treat a QR code like any other link – don’t follow it if you don’t fully trust the source.
Once you scan the QR, a pop-up to view its embedded URL must emerge. If there is no URL, or if it seems like a shortened one (like bit.ly) – be cautious. It’s best to install a QR scanner that checks or displays the URL before it follows the link.
Install and update security software regularly across devices. If you suspect any suspicious activity – immediately contact your bank and have them change your login credentials. You may also consider contacting the police and registering a formal complaint with the cyber cell or even an online complaint on the National Cybercrime Reporting Portal – cybercrime.gov.in.
Although the QR codes themselves are a secure and convenient mechanism, we expect them to be misused by cybercriminals in 2021 and beyond. Knowledge of QR code fraud may lag significantly today, but vigilance on our part will ensure the difference between the QR code being scanned and us being scammed.
The author is Vice-President of Engineering and Managing Director, McAfee India.