It's in black & white: QR code scams happen, but you can prevent them

Life has become so much more easier with this innocuous looking two-dimensional barcode made up of black squares arranged in a square grid on a white background. You can use it to make payments for purchases in shops, scan a menu in a restaurant, link a social profile to an account, board a flight, download an app, access Wi-Fi or authenticate login details.

QR codes are now ubiquitous in our lives, especially after the pandemic. Today, you can see them on tables in eateries enabling you to check the menu, instead of endlessly waiting for a harried waiter. But, anything that is so simple obviously has a flip side to it (the big bad wolf usually comes in sheep’s clothing kind of thing).

Cybercriminals have managed to manipulate technology to use the QR code to dupe people and cheat them of their money. In India, QR code scams have happened through OLX, Just Dial and various websites, and people need to wisen up and understand, in black and white terms, how QR frauds unfold.

What is a QR code?

To start with, we need to understand what is a QR, or Quick Response, code. It is a type of barcode, or scannable pattern, that contain various forms of data, like website links, account information, phone numbers, or even coupons.

It is generally used to get you to a website quickly without having to type in a URL. In short, it is defined as a machine-readable code consisting of an array of black and white squares, typically used for storing URLs or other information for reading by the camera on a smartphone.

It was invented in 1994 by Masahiro Hara, chief engineer of Denso Wave, a subsidiary of Toyota, to initially track vehicles and parts as they moved through the manufacturing process.

Also read: Indian Railways to start QR code-enabled contactless ticketing system

What can the QR code do?

QR codes can store about 7,000 digits, or around 4,000 characters, including punctuation and special characters. It can also encode information like phone numbers or internet addresses. The arrangement of each QR code varies depending on the information it contains, and that changes the arrangement of its black modules.

Can a QR code be hacked?

The software used to generate QR codes does not collect personal information from users. However, the location and time of a scan, the number of times a code is scanned, and the device’s operating system that performed the scan are all available to the code’s creators.

A QR code can’t be hacked, but a hacker can generate a malicious QR code that sends you to a fake website, from where they will be able to steal your personal data and track your location. It may be wise to always try to verify where your QR code originated from.

How are QR codes used to cheat people of money?

Just as it is dangerous to click links in emails, visiting URLs stored in QR codes can also be risky in several ways. The QR code’s URL can take you to a malicious website that tricks another website you are logged into on the same device to take an unauthorised action. Or, if you’re using a QR code to make a payment or sign up for a service and you’re in a rush, it’s easy to forget to check the URL for the site you’re viewing. And that’s how cybercriminals get their victims.

Avoid entering your data in any web portal you access via a QR code; instead, go straight to the company’s website that you need by typing in the URL.

In India, most common QR frauds have involved OLX, Facebook marketplace, JustDial, etc. In this case, a victim lists a product (old furniture, refrigerator, air conditioner etc) for sale and a fraudster posing as buyer contacts the owner over phone and offers to pay in advance. The so-called buyer would send a QR code to the seller to click on to receive the money; instead the money gets deducted from the victim’s account.

Fraudsters have also targetted people by creating fake government websites offering financial assistance, subsidies and government jobs. They even place fake public QR codes (at malls, kiosks) in order to facilitate the transaction or flow of easy money into their accounts. While some victims are fortunate enough to receive compensation for their losses, not all banks are as generous in fully compensating victims.

The request feature on UPI is also misused by sending fake payment requests with messages like ‘Enter your UPI PIN to receive money,’ ‘Payment successful receive Rs. xxx” etc. You need to enter PIN only for sending money. But the thumb rule is not to ‘Pay’ or enter your UPI pin to receive money.

Also read: Mobile apps, QR codes to aid voters as Delhi polls go hi-tech

What should consumers do to be careful?

It is critical that when you open a link in a QR code, you ensure that the URL is safe and comes from a trusted source. Just because the QR code has a logo you recognise does not mean you should click on the URL it contains.

Secondly, you need to know that you don’t receive money when you scan a QR code. All you get is a message that your bank account is debited for an ‘X’ amount. Do not scan QR codes shared by anyone unless the objective is to pay.

Avoid entering your data in any web portal you access via a QR code. Instead, if you’ve got to make a payment or make an appointment for yourself, use the appropriate company or office’s website by typing in the URL on your own.

Moreover, it’s important to recognise a QR code, but it’s also a good idea to avoid scanning any unknown QR codes and instead treat them like a shady link that you’d rather not click to prevent being scammed.

If you notice any strange activity, contact your bank immediately and change your password. QR codes frequently include truncated URLs, making it harder to track down the original site. In this instance, you can use an authentic QR scanner (read the app store reviews and ratings before installing it) to display the URL before allowing redirection to the link.

Do not scan QR codes sent by email to purchase a ticket or claiming to be from an ecommerce site. You can install and update security software that blocks harmful websites across all of your devices as well.