QRishing takes its toll. Beware of a new type of fraud. Alior Bank warns. You may lose data and money

The history of QR codes dates back to the mid-1990s. However, they began to gain real popularity in recent years. Today they are present almost everywhere. We scan them, e.g communication urbanwhen we want to activate the ticket purchased in the application. Many restaurants give up printed menus, preferring QR codes that take us to a website with a menu.

Login using a QR code is also offered by some websites – e.g. VOD platforms. It is easier to turn on the camera and scan the alphanumeric code, instead of manually entering a long web address. Especially if we run a given service on a TV and only have a remote control at our disposal.

Cybercriminals themselves are also well aware of the growing popularity of QR codes, and they increasingly use the electronic functionality to extort our data and money. This is how QRshing was born.

What is QRishing?

The name QRishing was created by combining an abbreviation QR With phishing. This is a type of phishing, with the difference that in this case the link to the website prepared by the fraudsters is not a link received in an e-mail, instant messenger or SMS message, but a QR code. He recently warned his clients against QRshing, among others: Alior Bank.

You can find QR codes, for example, in public transport, offices, taxis, advertisements at bus stops, parking meters, restaurant menus, leaflets and websites of service providers. QR codes allow you to access websites, app stores or quickly connect to a Wi-Fi network.

– we read in a statement published by the bank. Alior warns that fraudsters “post QR codes on specially prepared materials or paste or insert an appropriately prepared QR code on official materials leading to information sources.

A code prepared in this way can be used to steal information (e.g. bank card data), install malware on a smartphone or direct the recipient of the QR code to a dangerous website.

QRishing is dangerous not only due to the growing popularity of QR codes, but also due to the fact that these codes often are not detected by anti-phishing systems. Additionally, QR can be easily embedded in a photo or PDF document attached to an email.

Be careful what you scan

About fraud using QR codes already in July this year. reported the Małopolska police. In this case . Drivers who scanned them were sent to a website where they provided their payment card details.

Last week, police officers from Mława also warned against QRishing.

Beware, hackers use a communication platform popular among video game players. This platform is often used by children – unfortunately, as it turns out, without parental supervision. Hackers send children QR codes for new games or game add-ons. After scanning the code, the subscriber’s account is charged high fees. Yesterday (last Thursday – editor) the Mława police station received two such notifications.

– we read in a message published on social media.

In one case, fraudsters contacted a 10-year-old boy, offering him various types of game add-ons. Boy scanned the received QR code, “then the subscriber’s account – in this case the parent’s account, was charged with fees charged by the operator in the amount of over PLN 800 for purchased applications and games that never reached the user.”

How not to be deceived?

Cybersecurity experts from Alior Bank who will help you avoid fraud using QRishing:

1. QR codes can be dangerous in various situations, not only when using services available on the Internet.
2. All QR codes should be approached with caution – just like a “shortened” link contained in an e-mail, in which it is not clear at first glance where we will be redirected, the result of scanning a QR code may be a redirection to a website that only pretends to be official source of information.
3. Using a crafted QR code does not always have to result in an immediate loss of money – criminals also value the data provided by the attackers on fake websites.
4. Any incentives in the form of receiving a favorable discount on a service or a free gift after scanning a QR code and installing an application or completing a transaction on a fake website should be treated as an indication of an attack attempt.
5. Default access to the camera should be blocked for external applications – access to the camera should only be granted as a result of conscious action by the user.
6. You should only turn on the camera when taking photos – an active camera in public places may suggest scanning a QR code.
7. You should update the software installed on your mobile device – system and installed applications.
8. You should not make payments on any platform or provide login details on a website accessed via a QR code.
9. Before using a QR code posted in a public space of apparent trust (e.g. office, bank, restaurant), check whether it has not been covered with a glued-on, crafted QR code.
10. Before you go to the page referring from the QR code, check what domain is displayed in the preview – if it is incorrect or arouses your suspicions, do not open the page.