By Len Noe, Technical Evangelist at CyberArk
India is witnessing a contactless payments revolution, a huge percentage of this revolution is being driven by the ubiquitous QR code. The biggest risk with QR codes is the fact that till they are scanned, there is no way to gauge if the QR code will direct the user to a genuine website or transaction.
In India, there are countless cases where innocent people have been defrauded on marketplaces.
One of the most common tricks is sharing a QR code where a fake buyer requests an amount instead of paying. If a seller is not alert, he or she ends up inputting the UPI PIN which processes the transaction. The fraudulent transaction is discovered only when the amount is debited from their account. As QR code fraud is on the rise in India, several banks have been issuing alerts to their customers to be careful and not share their PINs while making payments through the QR code.
As it is extremely easy to print out QR codes, cybercriminals have been using innovative means to scam people. The fact that QR codes cannot be read by human beings, gives hackers a huge opportunity to embed malicious links that can be redirected to a site that can download malware and compromise the security of the person downloading it. Hackers have also been known to insert fake QR codes on social media channels, with messages that arouse the curiosity of the user.
As a QR code is normally accessed via a mobile, it has an extremely high success rate. Hackers typically embed a malicious link containing malware, which gets activated on the user’s machine, so that when a person scans a QR code, the malware is automatically downloaded and activated. Most mobile devices do not have the required security posture. Additionally, there is no way for the average person to know the difference between a genuine link and a phishing link. This improves the chances of success for a hacker.
Recommended steps
As QR codes become more popular, we will see innovative ways of QR code fraud. To protect yourself from these frauds, here are some recommendations:
Go to the website of the concerned firm or check for the legitimate URL that is normally printed on every QR code
Inspect QR code URLs closely. Once the QR code is scanned, check out if the URL directs you to the specific website before proceeding. Does it match the organization associated with the QR code? Does it seem suspicious, or include strange misspellings or typos? If the QR code directs to the specific company URL, then you are assured that it is a genuine website. If not, you can decide not to go ahead
Always remember that there is no need to scan a QR code for receiving money. It is used to pay money
Always check for any sign of physical tampering. This is specifically important in public places such as restaurants or railway stations. If you notice a QR code sticker being pasted on another QR code, you should be even more careful
Never download apps from QR codes. It is extremely easy for cyber criminals to clone and spoof websites. It is always advisable to the official app market for your device’s OS and downloads your apps from there
Take mobile security seriously, and elevate at the bare minimum — to the level of desktop security
Multi-factor authentication (MFA) is also highly recommended as this will protect sensitive accounts, such as banking, email, and social media apps. With one more layer of security, it will be tougher for cybercriminals to access your data with just your login and password.
In the digital world, it is always best to first check if the URL redirects to a safe and proper website. One should exhibit the same level of caution and alertness that we imbibe when we click the link of the website given to us via email or chat. This simple check can prevent QR code attacks from being
successful.