This has emerged from research by RTL Nieuws, which monitors the activities of cyber criminals in criminal chat groups. In the corona crisis, we see QR codes popping up in more and more places, such as the terrace or in test certificates. As a result, we are getting used to QR codes here and criminals are taking advantage of that.
The danger of these QR codes is twofold. First of all, we know better and better that we should not just click on strange links, but that realization is not yet there when scanning QR codes. Second, you scan the code with your smartphone, but that small screen makes it more difficult to recognize a phishing website than on a larger computer screen.
Fraud is on the rise
The Fraud Help Desk confirms that QR code phishing has been on the rise lately. “We have only seen the use of a QR code as a phishing link since mid-April of this year and is therefore quite new for us”, says director Marloes Kolthof. “As far as we are concerned, the danger lies in the fact that you cannot see in advance what information is contained in such a QR code.”
The rogue QR codes are in emails and letters that appear to come from your bank. In many cases you will receive a fake e-mail from the bank you are actually with, and sometimes the correct IBAN is even mentioned in the message in addition to the correct name.
This happens because cyber criminals have access to a great deal of personal data, including IBAN numbers, through all data leaks. At the popular webshop Allekabels.nl, more than 100,000 IBANs were stolen last year and traded between criminals.
The fake messages state that customers of the bank must request a new debit card or verify a new banking app. The QR code then leads to a phishing website where your bank details are stolen. This allows cyber criminals to gain access to your bank account, after which they try to transfer the money to bank accounts of cash mules.
Money donkeys are people, mostly young people, who make their bank account available to criminals. In many cases, these money mules withdraw the looted amount and are allowed to keep a small part of it themselves, the rest goes to the phishing criminal. Money donkeys are punishable and can be sentenced to prison for their actions.
Maleficent letter on the doormat
Cyber criminals not only send emails containing these dangerous QR codes, but also fake letters in the name of ING, among others. The email states that the Android app has been updated and that you can install the new app via the QR code. By installing this app you will get a virus on your phone that tries to raid your bank account.
“It’s that I don’t have an Android phone, but an iPhone,” said a woman who received the letter last week. “That’s why I quickly saw that it was phishing, but I wonder if others who do have an Android phone see it too.” The letters seem to have been sent mainly to people in Assen: entire neighborhoods there received the letter.
If you did install an app via the QR code, it is recommended that you reset your phone to factory settings to remove the virus.
“Unfortunately we recognize this form of phishing”, says an ING spokesperson. “We never ask you to scan a QR code to download our app, nor do we ask for login details, PIN codes or other security codes. Not in a letter, text message, e-mail or telephone.”
We use QR codes for many online payments, for example with iDeal. These are legitimate QR codes that make a payment and therefore open your banking app.
You also have QR codes to open websites, for example to view a menu online or to order a drink. You often see these QR codes on the terrace because cafes work less with physical menus due to corona.
The QR codes to open websites are abused by criminals: you scan the code and then open the phishing website on your phone where the attacker tries to loot your bank details. You still have to enter it there yourself.
Convenience and confidence
Corona has made the QR code incredibly popular and criminals are responding to that, says Dave Maasland, director of cybersecurity company ESET Netherlands. “We have become so used to scanning QR codes that we trust them. And it is also very easy: you point the camera of your smartphone at it and you open the website. That combination, the convenience and trust, is worth its weight in gold. for criminals. “
According to Maasland, criminals are always looking for how they can make a phishing message appear as legitimate as possible. “A lot of people don’t know that a QR code can also be abused. This is a real risk that we need to consider as we are getting more used to QR codes.”
The police advise victims of phishing to file a report. “This helps us to estimate the size, map out networks, disrupt the revenue model and identify suspects”, the police said.
What can you do?
Cyber criminals often use services that conceal a web address, such as tiny.cc or s.id. A link like s.id/ing-nieuwe-app then leads to the phishing website. The rogue QR codes often refer to such web addresses as well. So be wary if a QR code points to such a link.
The majority of smartphones first show a notification with the address of the website that wants to open the QR code. Always take a good look at that. For example, the ING website is ing.nl and not ing.login-bank.me. Always check whether you are logging in to the correct website by looking up the correct web address yourself or by calling or sending a message to the company in question.
If you unexpectedly scan a malicious QR code and open a phishing website, you often do not run any risk. Only when you enter data or download an app does it become dangerous.