Week 43: Parking fee phishing with fake QR codes

29.10.2024 - Over the past few years, we have seen a significant change in the tactics used in credit card phishing scams. With two-factor authentication becoming increasingly common, it is no longer enough for scammers to simply trick their victims into sharing their credit card details. Now they have to trick their victims into going through the entire payment process and authorising the payment at the end. That's why they’re always looking for ways to deceive their victims and make them do things they shouldn’t. A particularly brazen example was reported to the NCSC last week.

Whereas in the past you had to fumble around for change for the parking meter, there are now more convenient ways to pay, such as tap and go (contactless), or via a parking app. The payment process is made even easier and more user-friendly through the integration of technologies such as near-field communication (NFC) and QR codes. But this convenience has its risks. In one recent case, scammers covered the real QR codes on the side of parking meters with their own QR codes. These codes redirected victims to a deceptively authentic-looking payment page where they could choose to pay by Twint or credit card.

Deceptively genuine-looking scam site (left). Only the web address reveals that this is not the real thing.
Deceptively genuine-looking scam site (left). Only the web address reveals that this is not the real thing.

Usually, after entering the credit card or Twint details on the fake website, the victims are charged a much higher amount than is actually owed. As people are often in a hurry when paying for parking, they rarely check the payment details, such as the recipient or the amount to be charged. The victims authorise the payment and before they know it, several hundred francs are transferred to a fake account.

Gift cards as a conduit

But how do the scammers actually get their hands on the money? It is highly unlikely that the scammers get the money directly – they would have to be accredited as service providers by the credit card companies. The credit card companies would receive a flood of complaints from the victims and promptly stop the payments from going through after the first fraudulent charges. Instead, it usually works like this: once a victim has fallen for the phishing scam, their credit card details are entered as payment for the purchase of gift cards, for example from Apple or Google. So the gift cards are paid for by the victim, but the product is delivered to the fraudster. In a second step, the gift cards are resold or otherwise cashed out.

Recommendations

  • Before you confirm a payment, always check that the amount and the beneficiary are correct. If anything looks suspicious, cancel the payment immediately;
  • Before you scan a QR code, take a closer look and maybe even touch it to make sure it is the original QR code and not a fake sticker;
  • Check that the web address you have been directed to is the one you expect to see. Look carefully – differences can be hard to spot;
  • If you were charged too much, contact your bank or credit card provider immediately.

Last modification 29.10.2024

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2024/wochenrueckblick_43.html