Explainer: Why QR code scams are getting common and how not to be the next victim
A number of scams linked to quick-response (QR) codes have surfaced recently, with one victim losing up to S$20,000. TODAY takes a look at why people fall prey and how they may better protect themselves from QR code scams.
- There has been a number of QR code-related scams in the news recently, with one victim losing up to S$20,000
- QR codes scams tend to appear harmless and inherently provide a false sense of security, cybersecurity experts said
- They can lead potential victims to phishing websites and to unintentionally install malware on their mobile devices
- It is important for individuals to stay alert and for businesses to take steps to make their QR codes more secure
SINGAPORE — A number of scams linked to quick-response (QR) codes have surfaced recently, with one victim losing up to S$20,000.
In a case that surfaced online and circulated on social media this week, some residents claimed to have received flyers with a QR code inviting each household to get a “free” device to measure high blood pressure. Several members of the public were quick to dismiss the authenticity of the flyer and alerted others via WhatsApp and other online platforms to a potential scam.
However, as it turned out, insurance firm AIA Singapore released a statement on Wednesday (May 10) to address these claims, verifying that the flyers were authentic, and that the firm had engaged another company called We Care For SG Private Limited to conduct marketing activities.
In another case, a 60-year-old woman was visiting a bubble tea shop when she noticed a sticker seemingly inviting customers to complete an online survey in exchange for a complimentary cup of milk tea. After scanning the displayed QR code with a mobile phone, she was prompted to download a third-party application.
The app allegedly contained malicious software or malware, which was used to move S$20,000 from her account, national daily The Straits Times reported last Sunday.
And on May 7, an Ang Mo Kio resident in his 50s lost US$39.99 (S$53) after he used a third-party app to scan a QR code while trying to recycle his clothes at an SG Recycle machine near his home, Chinese daily Lianhe Zaobao reported on Friday.
Using a third-party app, he scanned the QR code displayed on the machine, but clicked on an advertisement that took him to a website, which then prompted him to enter his credit card information. He thought that the rewards for recycling would be credited to his credit card account.
TODAY takes a look at why people fall prey and how they may better protect themselves from QR code scams.
WHY DO PEOPLE FALL FOR QR CODE SCAMS?
It is becoming more common to hear of people falling prey to QR code scams because of the general increase of QR code usage in daily life.
Associate Professor Jiow Hee Jhee, 51, from the Singapore Institute of Technology with a research interest in cybercrime, said: “As society accelerates in the adoption of electronic payment and financial transaction methods, scammers will always find a way to cheat people. QR codes, being widely used, affords exploitation by scammers.”
Mr Kenny Yeo, 47, director and head of Asia Pacific cyber security practice with consultancy firm Frost & Sullivan, similarly links the rise of QR code scams to the evolution of digital communication and transactions.
“QR codes are simply the latest form of digital technology to become commonplace.
"If you look at it as a journey, we started with calls, then SMS (short message service), emails with links, WhatsApp, Telegram and now QR codes — because it is such a common thing in today’s life with contact-tracing app TraceTogether in Singapore during Covid-19, QR code digital payment, online surveys etc.”
Scams linked to QR codes are just like most scams: They prey on people looking for good deals or free products or tendency to want to earn some quick cash.
Mr Ali Fazeli, 42, a senior consultant at cybersecurity company Infinity Forensics, said that scams tied to QR codes tend to entice potential victims with implausibly low prices for products and services.
“When a deal looks too good to be true, it’s probably a scam."
He believes that QR codes give a deceptive sense of security.
“We have to understand that there is a vulnerability in the nature of QR codes. On the surface, they are just black-and-white images. Users do not know exactly where the code will lead them before scanning it. Criminals aim to take advantage of this vulnerability,” he said.
Scammers have various methods of operation.
These include sending QR codes to unsuspecting victims via email, WhatsApp and other chat messages, or placing stickers of fraudulent QR codes over authentic QR codes owned by legitimate business vendors.
“When someone scans a QR code, especially at a legitimate place of business, they assume that the code takes them to the right place,” Mr Ali said.
If a scam was attempted through a phishing link — an internet address that imitates or looks like legitimate websites to lure victims to click on them — security systems would probably detect it, he added.
“However, QR code scams can sometimes bypass security systems by directly prompting users for payment.”
WHAT USUALLY HAPPENS IN QR CODE SCAMS
QR code scams may lead users to phishing websites or to unknowingly install malware, among others, each with varying consequences.
“In a less serious permutation, it could lead people to an online form asking them to fill in personal identifiable information. This information could be used to start a search on ways to penetrate and steal more information and money in other means,” Mr Yeo from Frost & Sullivan said.
“In more major ways, the link could be to a malware and if you’re not careful and allow this to be installed on your mobile device, it could record your activities, steal your SMS MFA (multi-factor authentication), record your passwords or control your device to steal money online.”
HOW TO PREVENT FALLING PREY TO QR CODE SCAMS
Cybercrime is commonplace in today’s technology-centric society, and there have been many cautionary tales as well as warnings from the police for people not to click on suspicious-looking links to avoid phishing scams.
When it comes to personal responsibility, Mr Yeo advised the public to read up more on how to avoid scams, and to think twice before acting on the urge to grab a good deal.
“While technology and tools play an important role in detecting and preventing scams, the most important protection starts with awareness, then training.
“You and I need to be aware of these adversaries and their motives, then know what to ignore and delete, instead of scanning, responding and replying mindlessly,” he added.
Mr Ali from Infinity Forensics also warns against QR codes that direct users to download more materials and grant permissions on mobile devices.
“It is a huge red flag if the QR code brings you to unauthorised payment platforms, or prompts you to engage in suspicious actions like downloading third-party applications or files.”
As for smartphone users who are not so digitally savvy, he suggested double-checking with someone if they should really scan the code or get the deal. Or to try using alternative payment methods if they are not sure.
For business owners who want to ensure the safety of their customers, Mr Yeo recommends that they make sure their business QR codes are not tampered with by other parties. Or have gaps that allow people to override or mask their QR codes.
“A scammer could hijack a legitimate promotion by reprinting the same poster and changing the QR code. Staff members could regularly test the QR code to ensure that it is still working as expected.”
Mr Ali said that businesses who use QR codes as a form of transaction may add a layer of security for their customers.
"Companies can assign or add a digital signature to the QR code.
“When customers scan a QR code embedded with a digital signature, the scanning application should have the ability to verify the authenticity of the QR code through validating the digital signature."
Related topicsQR code scam crime cybersecurity
Read more of the latest in