PUTRAJAYA: Quann Malaysia today issued a warning that scammers have started using fake ‘quick response’ (QR) codes to steal data and money from users.
Its general manager Ivan Wen said there is a rising number of cases where criminals have been sticking their own codes over a business’ original one to steal the scanner’s data, or access the scanner’s smartphone to tap into their bank account.
"The problem with QR codes is that it is impossible to visually differentiate an original code from a malicious code.
"It is important that merchants regularly check to ensure malicious codes are not pasted on their merchandise or posted on their websites," he said in a statement on Thursday.
Quann’s warning comes on the back of an expected spike in the proliferation of QR Code usage as vendors such as WeChatPay and Alipay introduce eWallets (involving the use of mobile phones for QR code scanning) into Malaysia’s online payment ecosystem to drive retail consumerism.
Wen shared that about RM55 million was stolen in China’s Guangdong province – where QR codes are a mobile payment norm.
The scam is apparently most widespread at restaurants, where QR codes are fixed and not regularly changed.
In response to the growing problem, the People’s Bank of China has begun regulating QR code daily spending limits, as well as requiring that all payment institutions obtain a license before they can legally offer QR code payment facilities to their customers.
The black-and-white squares are often seen on websites, restaurants, advertisements, rental bikes and retail outlets – to enable users to quickly scan to unlock, or retrieve information related to a business.
Scammers can replace the original QR codes on billboards and pamphlets to divert users to malicious websites where users key in their personal information.
The personal information is later used to send phishing emails laden with malware which could infect the victim’s computer systems.
QR codes can also be used to infect smartphones with viruses allowing criminals to steal money from the victim’s mobile wallet, or ransomware where data is encrypted for a ransom.
Quan Malaysia, formerly known as e-Cop Malaysia, is a leading regional managed cyber security services provider.
On what can Malaysians do to avoid becoming victims to such a scam, Quan Malaysia listed several precautionary steps:
• Before scanning a QR code, observe the collateral for any signs of tampering such as a sticker placed on a printed menu or pamphlet;
• Look out for pixelated images and logos, as well as spelling mistakes to identify fake collaterals;
• Use a secure QR code scanner that can flag malicious websites and show the actual URL before scanning the code;
• Do not key in any personal information after scanning a QR code;
• Be wary about scanning a code in public places, like transportation depots, bus stops or city centres, even if it’s on a printed poster
“The impact of mobile malware could be devastating, as the hacker can access your private information as well as your phone’s camera to spy on you.
"We advise users to be cautious when scanning QR codes. As more mobile payment platforms look to enter the Malaysian market, it is important that users and merchants exercise the necessary precautions to ensure both parties do not lose money or data to similar scams,” Wen added.