Banks such as Santander, HSBC and TSB, along with UK and US agencies, have raised concerns about rising fraud via fake QR codes.
These entities are alerting customers to a type of QR code fraud called “quishing.” This heightened warning follows a rise in cases where such scams bypass corporate cyber defences, successfully deceiving customers into sharing their financial information.
In an interview with the Financial Times (FT), Chester Wisniewski, Senior Adviser at security software company Sophos, said: “The appeal for criminals is that it’s bypassing all of the [cyber security] training and it’s also bypassing our products.”
The most common way that this fraud is being deployed is through sending QR codes in attached PDFs, a method that is difficult for security filters to recognise.
In addition to easily bypassing security, QR code scams are effective because of how QR codes work. They offer a quick way for smartphone users to access a webpage, but it’s difficult to tell where the link will lead just by looking at the code.
Since COVID, QR codes have become common for contactless menus and payments, creating a sense of trust through frequent use. This trust is now being misused in various scams, with Steph Harrison, Senior Fraud Operations Manager at TSB, noting to the FT that it’s “a growing trend in terms of the number of reports we’re seeing”.
Following on from these legacy use cases, financial institutions have increasingly found more ways to utilise the technology. Last year, the Monetary Authority of Singapore and Bank Negara Malaysia launched cross-border QR payment codes, becoming a significantly popular payment method within Southeast Asia.
A recent scam targets drivers’ trust when paying for parking. The US Federal Trade Commission and UK authorities have warned of “quishing” scams where fake QR code stickers are placed over legitimate ones, directing users to fraudulent sites.
The fraudulent sites are designed to trick users into thinking they are legitimate, leading them to unknowingly enter personal and payment information. These links may also be set up to install malware on users’ devices.
Though physical scams are evolving, experts state that email remains the most common method. This is especially concerning for companies, as “almost no [cybersecurity] products are looking through attachments,” Wisniewski explained.
“If this continues to be a problem, I suppose the industry will have to move there – but it will slow down the delivery of emails, and it will also make things more expensive.”
