Emerging Trends in QR Code Fraud
By Aaron Shraberg
QR codes, square-shaped machine readable codes, allow consumers to download apps, initiate customer service, access Wi-Fi networks, and purchase products. Flashpoint analysts have observed activity around utilizing QR code fraud, especially as it applies to cashless payment applications. Since this type of fraud is relatively novel, this also increases the effectiveness of cyber criminals being able to carry out illicit activities via the following methods:
QR Code Phishing, Private Transactions, and Social Engineering Schemes
QR code fraud can be a component of typical phishing schemes, in which victims are duped into scanning codes contained in emails. With the growth of QR codes as a convenient means of remitting payment, several other types of schemes have also emerged.
As part of phishing expeditions, QR codes are often sent within emails, designed to fraudulently obtain user credentials or direct users to websites where malware is automatically downloaded.
QR Codes as a Form of Payment Fraud
QR codes are used to defraud individuals by inducing them to trigger unintended money transfers to bank accounts, leak their personally identifiable information (PII), or login credentials. When fraudsters have payments made to accounts under their control, they then likely use money mules to convert payments into cash without raising suspicion. Fraudsters have been observed using several methods to commit this type of fraud:
- Fraudsters send a QR code to a public chat group or an individual, supposedly so the target can receive money or other benefits. The QR code is actually a collect request, and scanning it amounts to scanning and entering a PIN.
- Fraudsters substitute real QR codes with fake ones. Upon scanning the code, users are directed to websites with realistic-looking landing pages that are not authentic and may be malicious. The victim may be prompted to enter PII, or malware may be downloaded to their phone. This can result in online banking fraud. In some instances, QR codes can be augmented by graying out certain areas of the code or slightly warping square dots in the code. This can mislead the scanning device into launching certain processes or visiting unintended websites.
QR code fraud also affects cryptocurrency markets. In one example observed, a website generates a false QR code after the user enters a Bitcoin address.
QR Codes Used in Real-World Theft Schemes
QR codes are often posted in public spaces as a quick and easy way to remit payment. They are also used with increasing frequency to transfer funds between individuals. Analysts have observed a few schemes emerging:
- Dire Situation Scheme: QR code schemes typically involve social engineering, including in the real world. For example, in July 2019, fraudsters in the Netherlands were asking individuals to pay their parking fee by scanning a QR code in exchange for cash, saying that the machine was broken and therefore not accepting cash. When the victim scanned the QR code, money from their account would be transferred out. This scheme resulted in tens of thousands of euros being stolen. In these situations, the fraudster may be well dressed to appear more credible.
- Second Hand Markets: In December 2019, the cybercrime unit of the Chennai City Police in India received more than twenty complaints from individuals posting home goods online for sale, who were contacted by potential buyers and asked to scan a QR code to receive funds. However, after the individuals scanned the code, funds were deducted from their accounts. The fraudsters claimed to be Indian Army personnel, perhaps in an attempt to lend themselves credibility. Similar activity was reported involving online second hand markets in Belgium.
- Ticket Payments: An individual in China found a ticket on his car that ordered him to scan the QR code to pay a fine of approximately US $30. The QR code—which was fraudulent—was linked to an account whose profile photo featured a male police officer.
- Small Transactions: In China, where bike-sharing is immensely popular and users pay in advance to unlock a bike, criminals may replace the QR codes on a large number of bikes with their own codes. This can bring many small payments into the threat actor’s account. Many potential bike renters simply shrug it off when the bike fails to unlock and move on to the next one.
Knowledge of QR code fraud may lag significantly, while new types of fraud continue to emerge. A survey of internet users in the United Kingdom showed that over 70 percent of participants were unaware of QR code fraud or fraud types. This may not be surprising, given the relative novelty of this threat type.
Contributing to these trends in fraud is also the global rise in cashless payments creating more opportunities for fraudsters to execute these schemes. China, India, some European countries, as well as North America, with high mobile payment adoption, should be aware of the risk associated with QR codes. QR code scams in China have risen in recent years, affecting the economy.
At this time, no prolific QR code fraudster or group has emerged. However, due to the success of such fraud techniques, Flashpoint analysts assess with moderate confidence that groups will likely form in the near future.