In restaurants, hotels, administrations, or to rent a bike... QR codes, these small squares with black and white pixels, are now part of everyday life. Flashed using the camera, they provide direct access to a website. Through their ease of use, they have earned a special place in the administrative, commercial or even educational landscape. But they have also become an inexhaustible tool for scammers fishing for bank details or personal data. This is called “quishing”.
On fines or notices from La Poste, QR codes can be falsified in order to redirect to a malicious site, but not only that. Latest episode to date: in the Loiret department, in mid-December, electric car users had their payment information stolen by scanning a QR code stuck on a charging station. The sticker actually linked to a copy of the provider's site. Bad surprise: the offenders recovered the data, took money… and the cars were never loaded.
The risks are the same as those linked to “phishing”. This practice consists of posing as a third party (bank, telecom operator, company) in order to push the Internet user to click on a site and ask for their bank details or information, such as their password and username. According to a study by the company Kaspersky, which markets antivirus products for individuals, 65% of French people continue to be scammed by phishing attacks, and the phenomenon has increased by 61% in Europe this year.
The sites are often very similar and can therefore naturally be misleading. “It’s called mirroring. Software makes it possible to reproduce the sites to perfection. If the hacker is bad, the errors in the replica are visible, but if he is good, we cannot tell the difference,” explains Fériel Bouakkaz, teacher-researcher in cybersecurity at EFREI. “Sometimes the site downloads malware directly to the device.”
However, the process is no more complicated than that of a classic scam. “Anyone can generate a QR code, there is no need for training or specific knowledge. This can be done with a simple website, so it’s the perfect technology for cybercriminals,” underlines the expert.
However, this method is much more vicious, because we are less suspicious of a QR code than of a suspicious SMS or email, sources of many awareness campaigns. Especially since the QR code has widely developed after the Covid-19 pandemic and the health pass. “After Covid-19, a relationship of trust was established with the QR code because we got used to seeing it everywhere. It was supposed to protect us against the virus… now it can expose us to computer viruses.”
Also read: Fake PV and QR code: beware of scams for prohibited parking
By email, in the mailbox or by SMS, and now stuck on charging stations or on shop windows... cybercriminals are always inventive in stealing sensitive data. We must therefore be extra vigilant. To protect yourself against this type of scam, there are several levels of protection. “First, don’t flash anything and everything in public spaces. It's tempting to scan a QR code that announces a 10% discount at the supermarket in exchange for personal information. In these cases, you have to ask if the offer is real at the store.”
But it is also important to check the URL, that is to say the web address that appears when scanning the QR code. Finally, in the event of “phishing” (by a fake Health Insurance, CAF or operator site for example), “you must go to your personal space or contact the service in question directly”.
Also readCybersecurity: faced with scams, the French are not careful enough online
Because here the scammer does not need to go to his victim via an SMS or an e-mail mentioning an “undelivered package” or a “CPF balance which is expiring”. The victim comes, without knowing it, directly to him. Especially since while protection mechanisms already exist to automatically redirect fraudulent emails and SMS messages into (unwanted) “spam”, this is not the case for QR codes. Users are left to their own devices.
And these scams are likely to grow in the run-up to the Paris Olympic Games this summer, when the QR code will be essential. In fact, you will need to present one to travel around the Olympic sites. Scammers could try to trap the French and the estimated 15.3 million foreign tourists expected, with offers of free wifi or participation in competitions.