The Bank of Spain warns of a new type of fraud or theft of personal data and even money, this time through QR codes. Be careful not to fall into this new trap!
We already knew about the new QR or 'Quick Response' codes, which are basically traditional barcodes but improved so that they link us to specific content or web. We also knew the so-called 'phishing' or how cybercriminals can steal our personal data, keys and passwords to usurp our identity and even steal directly from our bank account. Now, the Bank of Spain customer portal warns of the merger of both concepts to talk about 'QRshing' or how to rob us thanks to a QR.
Thieves are modernizing to trick their victims, and their tricks change as fast as our society. If QR codes proliferated especially with the pandemic and the covid to avoid direct contact, once they are installed in our day-to-day lives, they are used to steal personal data from us.
They have given us speed and comfort to access a concert without paper or to consult the menu of a restaurant. Now, we have to think twice when we scan a QR code with our mobile.
These are some of the recommendations that the Bank of Spain lists to avoid risks and make it easy for cybercriminals:
- Traffic fines with a QR that leads to a false website for the payment of the penalty, but it is really the cybercriminal who receives the amount.
- A type of scam known as reverse QR, carried out on waiters when paying the bill. The alleged criminal shows the victim a QR code linked to his own bank, when in reality it is a request for money. Likewise, he manages to get hold of his personal and bank details
- Combined with other techniques, such as the installation of malware or websites that impersonate real pages (web spoofing) so that you provide personal data.
- Placing stickers on top of the real QR code in a commercial establishment.
From the union of the terms QR and phishing comes the name of this fraud, QRishing, which consists of manipulating QR codes to deceive the victim into accessing malicious links or applications and obtaining their private information.
What can I do to detect and prevent this type of fraud? Prevention is based on trying to identify the address to which the QR code sends us: - Although it is not infallible, if the web begins with https it means that it complies with a minimum of security and protection.
- Take extreme precautions and check that the web link or url is not suspicious, before opening it. If it is a shortened link, it is better to "lengthen" it before to verify it or not open it.
- If we access a website that requests data from us, it is preferable to access it directly from the complete url or from the application itself.
- As the owner of a company, check the QRs that you make available to your clients to verify that they have not been falsified.
- Use applications that allow you to see the link before opening it. In the case of iOS devices, it is done from the camera itself but you must activate the functionality. On Android you have the Google Lens app that is already pre-installed or dedicated applications that you will find in the Play Store.
It is important to pay attention to details and in the event of any suspicion, do not scan the QR and search for information using the traditional means, that is, search the official website of the bank, company, restaurant, etc.
In general, a cybersecurity principle is to distrust as the first option to protect ourselves. We should not be trusted as normal, because it is already too common and frequent to find potential crimes and technological fraud.
QR codes can go on certificates, prescriptions, appointments or health documents, on tickets or bank receipts,... and in no case should we send or provide them by any means so as not to endanger our privacy or any good or service. Any document or file may contain sensitive information and it is highly recommended to keep it secure.
