Quishing: Increase in phishing scams with QR codes

Various forms of phishing with QR codes have now become known. Now the State Office of Criminal Investigation and the North Rhine-Westphalia Consumer Advice Center are warning that the fraud scam known as "quishing" – a portmanteau of "QR code" and "phishing" – is on the increase.

The NRW consumer advice center shows a photo of a fake Commerzbank letter, according to which the recipients would have to "renew" the photo TAN procedure. In this particular case, there were suspicions that the recipient from Munich did not even have an account with the bank. The lack of a personal address would also indicate to recipients that the letter could not have come from the real bank.

Alleged bank letters to obtain information

The LKA NRW writes that criminals "use this method to spy on personal data and passwords in particular that are worthy of protection". In the specific cases, victims are asked to disclose their bank details. The perfidious part of the scam: "The victims scan a QR code with their cell phone and follow the link behind it. Depending on the device and browser, it may not be obvious at first glance that the link does not lead to the provider's actual website, but to a fake page. The victims then enter their access data there or initiate a money transfer," explain the law enforcement officers.

Various variants of attempted fraud with QR codes have occurred recently: Earlier this month , for example, the LKA Lower Saxony warned that letters in the post were faking banks, for example, as the sender and using the QR code to redirect them to phishing sites in order to extract usable information from the victims. Shortly before this, false QR codes on charging stations for electric cars were discovered, giving false payment addresses for so-called ad hoc charging and thus directly ripping off victims' money. The phishing pages are so cleverly designed that the first entry looks like an unsuccessful attempt, so that victims can simply enter the data a second time and then actually charge – the fraud only becomes apparent much later.#

Currently several quishing scams in the wild

Around two weeks ago, it became known that fraudsters were distributing transparent bags containing a Bitcoin paper wallet and a fake deposit slip on sidewalks, primarily in the Munich area at the moment. Anyone attempting to withdraw the alleged money from the Bitcoin wallet after scanning the QR code and visiting the linked website is supposedly required to pay a transfer fee. However, an error message is then displayed instead of money from the wallet. Another scam has been used since the end of last year: fraudsters have been attaching fake parking tickets to cars, particularly in Berlin , with a QR code printed on them that leads to an official-looking website where alleged parking offenders are then supposed to pay the fine that is allegedly due.

Before entering data on websites whose addresses are encoded in QR codes, you should first check whether the URL can be correct. A check, for example by calling the supposed source, can in some cases clarify whether a fine can be genuine. However, there are already negative examples here too: A reader recently pointed out such a photo TAN letter to us, of which his bank was unable to say whether it was genuine or false when asked on the phone. The banks obviously still need to make improvements here.

(dmk)