Surge in QR code, online financial scams sparks concern, say experts

With the festival season round the corner, there has been an increase in online financial fraud cases, including those involving quick response (QR) codes, one-time passwords (OTPs) and debit/credit cards transactions, which account for close to 77.5% of cyber-crimes in India, according to a new research paper published on Monday by The Future Crime Research Foundation (FCRF), a non-profit startup incubated at the Indian Institute of Technology (IIT)-Kanpur. 

Another report published on Monday by cybersecurity firm Quick Heal Technologies, revealed that in Q2 2023, researchers of its Seqrite Labs researchers observed a significant uptick in innovative techniques employed by these threat actors across various platforms and applications, referring to similar fraud techniques. The cyber security firm detected Kolkata, Mumbai, Pune, Bengaluru and New Delhi are the top Indian cities affected by online threats in the quarter of April to June. Among the top 10 cities, Kolkata led the list with 7.08 million threats, followed closely by Mumbai with 7.00 million threats, it said. 

QR codes — essentially a kind of bar code that allows transactions to be touchless — has popped up everywhere, in recent years, especially since the pandemic. And so has the phenomenal increase of incidents relating to QR code scams that mostly hijack normally safe QR codes and send you to phishing websites that steal your financial information.

Last month, the Bengaluru police pointed out QR code scams as one of the fraudulent activities related to online financial transactions, with the numbers soaring over 7,000 online cases reported in the first half of this year. According to data from city police, more than 50,027 cybercrime cases were registered in Bengaluru between 2017 and May 31, 2023, and 41% of them (20,662 cases) were related to QR codes or links or debit/credit card details being used to divert money from the bank accounts of victims. 

“In 2022, 9,940 cybercrime cases were reported in the city and of them, around 1,300 were related to QR codes. In the first six months of this year, we’ve already registered more than 7,000 cases and of them, 950 are related to QR code scams,” a senior official said. 

Last week, the Maharashtra Police also issued an advisory for citizens, cautioning them about a QR code scam. This fraud is a type of cybercrime where criminals attempt to steal user’s data by making them scan a malicious QR code. 

According to a June 2022 study by consulting firm Boston Consulting Group (BCG), QR-code payments are accepted by more than 30 million merchants in India today, a substantial increase from 2.5 million merchants five years ago. With the country’s digital payment market likely to grow more than threefold from $3 trillion at present to $10 trillion by 2026, this mode of payments will continue to grow dramatically.   

Highlighting some of the most recent QR code scams, Len Noe, technical evangelist and white hat hacker at CyberArk, said, fraudsters have targeted people by creating fake government websites offering subsidies and jobs. Food joints and parking places have also seen a rise in such scams. Also, cryptocurrency QR code scams are becoming rampant. The majority of links returned in Google search pages for Bitcoin QR code generators are for fake or scammy websites in recent months, Noe said. 

Sachin Yadav, partner, forensic-financial advisory, Deloitte India, explained that fraudsters often use Clickjacking as a tactic to redirect users to scan a QR code to a legitimate-looking fake website. Victims who scan the fake QR codes are directed to malicious websites with bogus screens. After this, similar to any phishing scheme, victims are prompted to provide personally identifiable information, which the fraudsters use for identity theft, he said. 

Despite the rise of QR code scam, there are several ways users can minimise the risk of QR code security issues, as Vicky Ray, Director of Palo Alto Networks UNIT 42 Cyber Consulting & Threat Intelligence team for Asia Pacific and Japan, believes that the general principle to “think before you click” on suspicious links or emails should apply even in the context of QR codes. “In fact, many secure QR code scanning apps today allow users to preview websites before they visit them. One should never scan a QR code for receiving money, something users are still not aware of and fall prey to these scams,” he said. 

User awareness can make a lot of difference and this has to come from the government and private entities that are encouraging the practice of QR codes, commented Ray, adding that “It is important to make sure that users only download apps from trusted sources such as Apple’s App Store or Google Play Store and continuously update all smart devices to the latest security patches. 

Prateek Bhajanka, Field CISO at cyber security company, SentinelOne, added that it makes sense to “choose a secure scanning app instead of using your phone's camera”. Also, short URL links should be avoided. The link could be malicious if you can't read the full URL. Most importantly, for device registration that uses QR code, it is recommended to have SMS/Email OTP for verification of users,” he said. 

Turning on multi-factor authentication (MFA) will help protect your sensitive accounts, such as banking, email and social media apps. With another authentication layer in place, a cybercriminal cannot access your data with just your login and password, suggested Noe of CyberArk.