“The police have detected in Malaga a new form of fraud committed through QR codes,” published the National Police last September on its Twitter profile. In recent weeks, the media have also echoed this warning for which you are asking us a lot.
Although the National Police in Malaga affirm to Maldita.es that they have not detected a specific case of these scams in the province or in Malaga capital, they indicate that they are aware that it is a practice that is carried out, which is why They have decided to alert the public and offer advice to avoid these scams as far as possible.
Therefore, we explain what practices cybercriminals could carry out and how you can avoid being a victim of fraud through QR codes.
National Police Alert
QR codes, those that are similar to bar codes but square, have existed for years, but they have undoubtedly experienced a boom in their use during the months of the coronavirus pandemic, when we have used them in restaurants, airports, etc. concert tickets, theaters, etc.
As we have mentioned, the National Police in Malaga have warned that it is possible to carry out scams through the scanning of these codes. As our damn Miguel Calvo, an expert in cybersecurity and privacy , explained , this type of code is one of the possible entries of malicious programs to our devices.
The National Institute of Cybersecurity (INCIBE) lists the risks to which we can expose ourselves when scanning a QR: possible cases of phishing , the technique that tries to get hold of our personal, bank or money data; the download of malware or malicious code injection; and qrljacking or session hijacking.
If you haven’t heard this last term before, qrljacking consists of hijacking an account that accepts a login via QR scanning. This is, for example, the case of WhatsApp Web. To be able to log in to a tab of our browser, we scan a code from our smartphone and the session starts automatically. What cybercriminals are doing here is tricking victims into scanning code that impersonates the original, and by doing so, they capture the victim’s session credentials and covertly access information within their account.
Be careful with the unknown codes that we find on the street
With this we are not saying that you have to distrust all QR codes or that you have to stop using them, but that you have to pay attention to what we scan. According to the police, one of the cases in which special care must be taken is in those in which we see that the code is pasted on top of another poster. For example, imagine that it is an advertisement for a well-known brand and that the only element of that poster that stands out is the QR. Be careful because it is possible that underneath is the brand name and that it has been overlaid by cybercriminals.
As attractive as they may seem, also be wary of announcements of supposed prizes, gifts, promotions, etc., that you find on the street. These promises of getting a prize just by scanning a QR could have other intentions behind it. And do not trust either those you find alone, without any information.
Tips to avoid getting viruses when scanning a QR
To avoid being a victim of one of these scam cases, Miguel Calvo gives us a series of recommendations, starting with the most basic: having an antivirus or antimalware installed on our device. It is also important to pay attention to what we scan, where and why. And if we are going to scan one, let’s configure our QR reader so that it does not go directly to the URL, but allows us to see it before accessing. This way we can verify that it is the website we want to go to.
We should do the same with file downloads. If the cybercriminal wants us to download a malicious file, we’d better not allow direct downloads when scanning. And also, you have to try not to fill in any form on the web to which we access. If we have to, it is better to direct ourselves to that form by manually accessing the web than to follow a link of doubtful origin.
How to protect yourself from possible attacks if you are the creator of a QR
INCIBE also offers a series of tips for users who generate these QRs, as may be the case if you have a business, for example. What can you do to prevent these attacks? Check frequently that your QR’s have not been changed or modified by other people. Also be careful when choosing the generator of this code: use a service that offers sufficient security guarantees.
In summary, whether you are a business owner or a user, you can follow these tips and recommendations to avoid as much as possible being the victim of an attack through a QR code:
Have an antivirus or antimalware installed on your device.
Be wary of the supposed gifts, promotions and offers that you find on the street and which you could access just by scanning a QR: they can hide other intentions.
Make sure that the code you are going to scan has not been pasted on top of another.
Configure your QR code reader so that it cannot directly access the URL before entering it and make sure it is a website you can trust.
Don’t allow direct file downloads when scanning a QR code.
If you have a business and you are going to offer a QR to your clients, use a generator of this service that offers all the security guarantees and frequently check that it has not been modified or changed by third parties.
If you think you have been the victim of a scam through QR codes, you can write to us at firstname.lastname@example.org telling us about your case.