Be careful as the Christmas holidays approach, a new scam is rampant on Leboncoin! Scammers use QR codes to hijack the platform’s secure payment system and extract money from their victims.
Long reserved for a few insiders, the QR code has gained popularity in recent years, to the point that it could soon replace barcodes. Today we find it in all forms, on restaurant menus, transport tickets, food packaging, medication leaflets, posters in the metro, clothing labels, magazine advertisements, information panels, business cards or even on television, inviting us to directly download an application or referring us to a website. A democratization that is all the more rapid as this system is very easy to use.
Unfortunately, as every time a new technology becomes popular, cybercriminals take advantage of it. Since most people are not yet very familiar with how this system works, it is much easier to fool them. We are therefore witnessing a proliferation of fraudulent QR codes, with the aim of stealing user data or installing malicious software on their devices. This is the case, for example, of false tickets, containing the famous QR code, which can be found on the windshield (see our article). But the scammers do not hesitate to be even more creative, using the small graphic to extract money from buyers on Leboncoin, bypassing the payment page.
Leboncoin scam: a platform that attracts scammers
The UFC-Que Choisir is sounding the alarm in a statement, where she recounts the misadventure of Anne P., who was the victim of this scam on the classified ads site. She responded to an offer for €650 (€667 with shipping) to acquire a pottery wheel. The seller, Tigratop42, accepts and sends him a QR code to scan to make payment. The victim complies and lands on a fake Leboncoin payment page, which actually looks like an official page, with the same graphic charter and logo of the official site. She is not suspicious and enters her banking information, before carrying out strong authentication with her banking application – to validate the transaction online so that the bank is sure that she is indeed the author. And there… nothing happens. The scammer then makes him believe that another interested buyer paid at the same time and that this short-circuited the process. He asks her to renew the offer and she sends back another QR code. Result: she paid three times. In total, he took €1,334 from her – the bank fortunately blocked the third attempt, suspecting fraud.
Subsequently, Leboncoin refused to reimburse the victim, the payment having been made outside the site, as did the victim’s bank, arguing that it had validated strong authentication. Anne P. has since filed a complaint and hopes to win her case and be reimbursed by her bank, which is entirely possible. Indeed, the monetary and financial code (article L133-18) requires banking establishments to immediately restore victims’ accounts, except in cases of serious negligence. “In cases of phishing, of which quishing (QR code phishing) is a variation, the law relies on what is called the bundle of clues, that is to say on all the graphic elements, conversational, which will make it possible to judge whether the consumer was negligent or whether, on the contrary, anyone would have been trapped”, explains Mélanie Saldanha, lawyer at UFC-Que Choisir. The Banque de France recently reminded that strong authentication is not infallible, and that a customer can be manipulated by a scammer without being accused of negligence (see our article). The existence of strong authentication is not sufficient to consider that the transaction has been authorized by the customer. So if you too are a victim of this type of scam, don’t give up and demand that your banking institution reimburse you!