If we start counting them, we will probably end up falling asleep before reaching half the number of mobile scams that exist. The scams related to QR codes They are among those that are taking on the most relevance in recent times because they are still little known.
These codes are used for many things: viewing restaurant menus, accessing more information about a product, downloading applications… Also knowing that reading a QR from your mobile is very easy, we find them everywhere. Even for rent a bike in cities like Madrid, where a scam is now emerging that once again serves as a warning of the danger they pose.
BiciMAD once again calls malicious QR codes into question
New case of ‘Qrishing’, which you may not know by this name, but which refers to the phishing scams related to QR codes. This word, in turn, comes from term ‘phishing’ (which is used to generically refer to identity theft).
Ane Miren Parrilla Larrinaga in X
Although beyond the terminology we use to name it, the important thing is to know what they consist of. For this, there is nothing better than a real example like what has happened in Madrid. As reflected in various media such as eldiario.es, The municipal bicycle rental company in Madrid (BiciMAD) is being used to scam users. Because yes, the objective is not the company, but the citizen.
He modus operandi used is extremely well known. Scammers attach a QR code to the bicycle (or its parking structure) with the objective that a trusting user proceeds to scan it to make the rental payment. We have not been able to access the page that was used, but it is said that it was a payment gateway that, a priori, could pass for being a reliable BiciMAD platform. Obviously, it wasn’t.
No data has been released about how many people have fallen for this scam, if anyone has actually fallen for it, but it is not difficult to imagine how problematic this issue is. And it is that, Beyond the money that the scammers charge for the supposed rental, they could also steal money from them in the future.. It is enough to have the debit/credit card already registered so that they can charge payments later.
In this last point the importance of setting up two-factor authentication systems for payments. Basically it consists of, every time an operation is carried out, you need to enter a code that arrives by SMS to the owner’s phone or, failing that, authenticate and approve it through the app (we recommend that you contact your bank so that inform you of the options they offer).
In the specific case of this attempted scam, BiciMAD remembers that only its official app is used to scan the QRso that secure payments are guaranteed and that, if it is a fraudulent QR, the app does not recognize it.
A QR is not bad. Scan it without being sure, yeah
We already warned at the beginning that QR codes are already integrated into our society and that they can be very useful. In fact, BiciMAD’s genuine QR codes are a good example of this. But like everything in life, it has its negative side and that is It’s too easy to create a scam with them. And that is a problem.
Mobile phones are not capable of identifying whether a QR is reliable or not, although if they open a web page or authorize a download, the device can alert us. The point is that the responsibility must be ours. And here we start from the same basis as for all types of scams: carrying distrust as a flag.
We want to say that it is important not to scan all the QR codes that we see out there, not even those placed in places where we assume they are reliable (as in the case of BiciMAD). If you scan it, you must always be sure that If it is for a download, this is done from the Google Play application store. If it is an external download of an APK, it may come from a trusted repository, but it is not common for it to be promoted by a QR, so it tends to be malicious.
We also include at this point the downloading files of all types, because even a simple PDF can incorporate hidden malware. If we have the possibility of asking someone responsible for that code (in a restaurant, for example), the better.
Although if there is a particularly important recommendation because of what it implies, it is never make payments on a website that we have gone to when scanning the QR. If you have questions, there are ways to check that it is a trusted link (For example, VirusTotal), but it’s probably malicious. And if it links to an application, make sure it is a well-known and official app of the company that is requesting payment.
Cover image | Wikimedia Commons
In Xataka Android | What to do if your WhatsApp account has been hacked