A new scam has just been detected, which is based on the use of a QR code.
Among the many scams generated online, one of the most dangerous and recurring is “phishing”. This term cybercrime refers to the theft of personal data. Most often, it is hidden in an email or text message, which invites you to click on a link. But this scam is now getting a new look and can also occur via a QR code.
QR codes are now an integral part of our daily lives. Whether it is connecting to a wifi network or discovering a restaurant menu, their use has almost become a reflex. But recently these very practical codes have also been used by criminals who replace real QR Codes with some which lead to an Internet page designed to scam. This phenomenon is called “quishing”, an expression derived from “phishing”. For some time now, it has been found on online commercial platforms, such as Le Bon Coin. If the peer-to-peer sales site is regularly used by scammers to create scams, the use of a QR code for this purpose is a first.
This new type of scam consists of diverting buyers from the platform’s secure payment system by making them flash one of these QR codes made by thieves. The site UFC-Que-Choisir raises the alarm on this type of scam and recounts the bad, very enlightening experience of a buyer. A Bon coin user spots a pottery wheel on the platform and decides to make an offer of 650 euros to the seller (who presents himself under a pseudonym). The latter accepts the proposal and then sends a QR code to the buyer in order to make payment. She explains: “I scanned the QR code displayed on my computer screen with my smartphone and arrived on a Le Bon Coin secure payment page. Finally, on what looked like an official page …”
The buyer continues her purchase as usual by choosing a relay point for delivery before providing her banking information and carrying out enhanced authentication via her bank’s application. It was then that the seller explained to him “that another buyer had paid for the tour at the same time, which had short-circuited the process.” The scammer then asks him to repeat the entire purchasing process. In total, the buyer paid three times the cost of the item. It is only when the bank, which suspects a fraudulent transaction, blocks the third payment that the buyer realizes her mistake.
Faced with this situation, the user tried to inform Le Bon Coin which ultimately did not come to her aid. The payment having been made outside the platform, the latter therefore declined all responsibility. As a last resort, the buyer turned to her bank in the hope of obtaining a refund. The user shares her response: “My bank remained equally deaf to my request, because the security process had been validated”. The buyer therefore ended up filing a complaint.
Mélanie Saldanha, lawyer at UFC-Que Choisir, explains why banks can refuse to reimburse victims and specifies that any client can put forward their arguments, in particular that of having been careful: “In cases of phishing, of which quishing (phishing by QR code) is a variation, the law relies on what is called the bundle of clues, that is to say on all the graphic, conversational elements which will make it possible to judge whether the consumer was negligent or, on the contrary, anyone would have been tricked.” In this specific case, UFC-Que Choisir was able to have access to the exchanges between the two parties and the site noted that the seller spoke in a very cordial manner, without any spelling errors and with a very reassuring tone. A sophisticated method in short, which we must be wary of.