Managed cybersecurity services provider, Quann Malaysia (formerly known as e-Cop Malaysia) warns that scammers can use fake “quick response” (QR) codes to steal data and money from users.
QR codes are commonly seen on websites, restaurants, advertisements, rental bikes and retail outlets to enable users to unlock, retrieve information or make payments quickly. QR code usage proliferated when vendors such as WeChatPay and AliPay introduced e-wallets as a form of cashless payment through smartphones.
“There’s a rising number of cases where criminals stuck their own codes over a business’ original one to steal the scanner’s data or access the scanner’s smartphone to tap into their bank account,” said Ivan Wen, general manager, Quann Malaysia.
With QR codes, it is impossible to visually differentiate an original code from a malicious one. Merchants are advised to regularly check to ensure malicious codes are not pasted on their merchandise or posted on their websites.
Recently in Guangdong, China, about RM55m was stolen in a scam involving restaurants where QR codes were fixed and not regularly changed, Wen said. In response, the People’s Bank of China started regulating daily spending limits for QR code payments and requiring all payment institutions to obtain a license before they can legally offer QR code payment facilities to their customers.
Scammers can replace original QR codes on billboards and pamphlets to divert users to malicious websites that invite users to key in their personal information. This stolen information may be used to send phishing emails laden with malware to infect the victim’s computers.
QR codes can also be used to infect smartphones with viruses that allow criminals to steal money from the victim’s mobile wallet or encrypt data and demand a ransom.
Wen cautions users to take precautions:
- Look for signs of tampering on collaterals such as stickers placed on a printed menu or pamphlet, before scanning a QR code
- Look for pixelated images and logos and spelling mistakes to identify fake collaterals
- Use a secure QR scanner that can flag malicious websites and show the actual URL
- Do not key in any personal information after scanning a QR code
- Be wary of scanning a code in public places like transportation depots, bus stops or city centres even if it is on a printed poster.
“The impact of mobile malware could be devastating as the hacker can access your private information as well as your phone’ camera to spy on you. We advise users to be cautious when scanning QR codes. As more mobile payment platforms look to enter the Malaysian market, it is important that users and merchants both exercise the necessary precautions to ensure both parties do not lose money or data to similar scams,” Wen said.