Week 31: Beware when scanning QR codes!

06.08.2024 - QR codes have become ubiquitous. A quick scan and you can call up the menu in a restaurant and then pay the bill, for example. They are often to be found on parking meters, which can be useful if you don’t have any change. But beware: QR codes can also be faked. Quishing, or QR phishing, where attackers use QR codes to steal sensitive information, is on the rise.

We are all now familiar with the grids of black and white squares: the Quick Response codes that you can scan to take you to websites, product details or contact information and that allow you to pay your bills.

And this is precisely what fraudsters try to trick their victims into doing. QR codes can just as easily lead to fraudulent websites as to genuine ones, and you don't necessarily know until you visit the website. When you scan a QR code, a URL is usually displayed in your browser, but it is rarely clear at first glance whether the website is secure. Creating a QR code is pretty straightforward, so fraudsters can use a QR code in a multitude of ways, for example in a fake email from a hotel, in a fake online advert on social media or in spam mails.

Fraudsters are becoming increasingly audacious by printing their own QR codes to cover up authentic codes on parking meters or posters, for example. Various cases have already been reported to the NCSC in which parking fee payments have ended up with fraudsters. The NCSC has also received reports of QR codes in restaurants that have been covered up by fraudsters. In one case, a QR code purportedly for WIFI access prompted the user to enter login details to create an account, but instead of WIFI access, the person had inadvertently taken out an unwanted subscription.

The aim of the fraudsters is invariably the same: to trick potential victims into downloading something that will compromise the security of their accounts or devices, or to enter login details that will be passed directly to the hackers (most likely via a fake website that has been set up to look genuine and trustworthy).

Recommendations

  • Use a reliable and recognised secure application to scan QR codes. The advantage of this is that your device will ask you to confirm the action before the code contained in the QR is executed. Cameras on both Apple and Android devices can recognise QR codes;
  • After scanning and before executing, most scanners will display what action is being carried out or which page is being linked to. Check this information;
  • Never enter login information on a website that you have accessed via a QR code;
  • Before scanning a physical QR code in a public place, examine it to see if a sticker has been applied to the original;
  • If you scan a QR code that contains something malicious, immediately notify the owner of the venue (shop, restaurant magazine, website, etc.) where you discovered it;
  • Fraudsters usually try to suggest a sense of urgency: scan this QR code to verify your identity, prevent your account from being cancelled or take advantage of a limited-time offer. Don't let yourself be pressured. Take your time to check the story.
  • Regularly check your bank account and credit card transactions. Many banks and card companies offer apps for this purpose. If you notice any irregularities, inform your bank or card company immediately;
  • Never enter your Apple ID, credit card numbers, etc. on websites that do not enable secure data transmission. You can recognise websites with secure data transmission by the "https://" in the URL and the lock or key symbol in the address bar of your browser;
  • If you suffer financial loss, you should file a criminal complaint with the competent cantonal police immediately. The competent police force is determined by your place of residence. You can use the Suisse ePolice platform to find your nearest police station (www.suisse-epolice.ch/search-station);

Last modification 06.08.2024

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2024/wochenrueckblick_31.html