Quishing, or QR phishing, is a scam where people are tricked into scanning malicious QR codes, taking them to fake websites designed to steal sensitive information like passwords or financial data. — Photo: Matthias Balk/dpa
BERLIN: Watch out for quishing, or phishing through dodgy QR codes, the latest scam catching people unawares – costing some thousands of dollars.
The good news is, you can try and avoid the trap.
Quishing describes the scam where fraudsters generate QR codes to redirect users to fake websites that may call on you to enter your login details. Beware as you could lose not only your login data but potentially your account, too, says the Brandenburg Consumer Advice Centre (VZB).
PayPal accounts are at risk, sellers on second-hand clothing platforms are finding. The scam involves a supposed buyer who sends sellers a QR code allegedly meant to authorise a payment.
But it redirects the user to a fake PayPal page. It looks almost identical to the original, but the data they enter goes directly to fraudsters. In one case, a seller logged in, and moments later, several payments adding up to some US$3,000 (RM12,620) were made from their account.
Payment confirmations rarely required
Warning signs that may help you avoid falling into this trap start with the payment method itself.
In general, use the payment methods offered on the platform. Watch out if someone insists on processing a payment outside the platform. Normally, money should be transferred to the account without requiring confirmation. An extra payment confirmation is unusual.
If you are in doubt, choose the payment method yourself. On reputable platforms, the seller determines the payment method not the buyer, says Erk Schaarschmidt, a lawyer at Germany's VZB.
If you want to add an extra layer of protection to your login details, set up two-factor authentication (2FA). For PayPal, you can activate this both for payments and for logging in, to make sure fraudsters cannot access your account without an additional confirmation, such as a code sent by text message or 2FA app.
Phishing risk in public spaces too
The QR code scam is potentially also a risk you may encounter in public spaces. You can find fake QR codes on public transport, parking ticket machines or on counterfeit parking tickets, says the VZB.
You can check the link beforehand on most smartphones as devices will often display the link before opening it. If you know the original address, compare it with the scanned one. But in general, to be safe, try not to scan QR codes of unknown origin, say consumer advisors. – dpa
