The popularity of the QR Code has inspired scammers, who are using it to reinvent the fake fine scam and lead their victims to malicious sites. Be careful not to fall into this very popular new trap!
Long reserved for a few insiders, the QR Code has significantly gained in popularity in recent years, to the point that it could soon replace barcodes. It was used in particular for the famous health pass during the Covid-19 epidemic, but it is also found on restaurant tables, to prevent customers from touching menu cards, for example. More broadly, this digital graphic code is widely used now to obtain a Wi-Fi code, to directly download an application or to send to a website. Democratization is all the faster because this system is very easy to use, since everything is done automatically, transparently, without complex manipulation.
Unfortunately, like every time a new technology gains popularity, hackers take it over. Indeed, since the victims do not yet know very well how this system works, it is easier to deceive them. It is for these reasons that many cybersecurity experts regularly warn of the proliferation of fraudulent QR Codes capable of stealing user data or installing malicious software on their devices. The latest scam? False tickets found on his windshield, containing the famous QR Code, which refers to a fake government site asking to pay the fine. It was the Seine-et-Marne gendarmerie who sounded the alert on May 14 by sharing one of the false reports found on the windshields of residents of the department. This is a more modern way to recover victims’ banking information than the fake ANTAI SMS!
QR Code: a new, little-known phishing technique
As a reminder, the principle of the QR Code is very simple. Thanks to the camera or a scanning application on a smartphone, it sends the user to a web page or an application. However, it is enough simply to stick a sticker – on a menu, a poster or a flyer, for example – for thousands of people to be fooled without realizing it. Impersonating an official document is also very effective. By scanning it, victims are either led to download an application containing malware, or redirected to a page resembling the original and which will, one way or another, invite them to enter their personal data and/or or banking.
Phishing campaigns are becoming more and more ingenious, and it is rather difficult to detect a fake QR Code, although certain details may give rise to the flea, such as an overlay sticker or an Internet address that does not match. In addition, it is very easy, thanks to websites, to quickly generate a QR Code for a URL address.
QR Code: a still little-known scam
Len Noe, cybersecurity researcher at CyberArkhad already sounded the alarm to the Parisian last summer. “It took years to educate people not to click on a dodgy link sent by email, we have to start all over again with these QR Codes which are phishing campaigns in a new physical form“, he lamented. Fake QR Codes are formidable because, as the specialist explains, “the cyberattack passes through the camera and thus bypasses antivirus and security filters.“This type of fraud had already been detected in Asia, Germany and the United States, which led the FBI to issue alerts. It is a proximity cybercrime that targets tourist sites as well as residents.
Another example of a scam of this type: in Texas, in the city of Austin, motorists had been victims of phishing via QR Codes stuck on parking meters. But instead of being redirected to the city’s official website or app to pay for parking, motorists landed on a fake site that collected their credit card information. A similar scam had been identified in the city of San Antonio. These QR Codes are also starting to appear in phishing emails and online advertisements. A way that may seem strange since why redirect us to a website, when we are already there? Simply because they often go undetected by security software, giving them a better chance of reaching their targets than attachments or dangerous links. Plus, it’s much faster to send out thousands of fraudulent emails than to stick QR Codes around town.
It will be necessary to remain vigilant during these holidays, whether in France or abroad. The website cybermalveillance.gouv.fr is on the lookout, especially during this time. As a precaution, a search engine or a VPN is recommended when connecting to a public Wi-Fi network. Similarly, it is better not to download applications outside the official stores – the Google Play Store and the Apple App Store – even if this is not an absolute guarantee of security. It should be kept in mind that many QR Codes embedded in e-mails are fraudulent, and if a QR Code links to a site requesting information that does not seem necessary, it is better not to transmit it. Finally, concerning the famous false fines to be paid, it must be kept in mind that, even if a QR code is present on the document, it is imperative to go through the official site. amendes.gouv.fr to settle them. And if ever the bank details have unfortunately already been provided, you must contact your bank quickly before opposing, and thus limit the risk of fraudulent direct debits and payments.