Taking Back the ID

Scanning scam (and other frauds)

Please sign in to save this to your favorites.

Written by: Robert E. Holtfreter, Ph.D., CFE

Date: November 1, 2013

Read Time: 7 mins

Fraud Schemes Technology

Tech-savvy Katie Winston always looked for the newest apps. Recently, she had been using her smartphone to scan “Quick Response” or QR codes in magazines, on posters and just about everywhere. One day she checked her bank statement and found a strange unaccountable withdrawal and a zero balance in her account. She was another victim of the QR code clickjacking scam.

The case is fictional but the problem isn’t. The ubiquitous QR codes are becoming a gateway for fraud.

QR codes (sometimes also called “Quick Read”), which look like matrix barcodes (see image at left), are composed of digital black modules and square dots arranged in a square grid on a white background. You can use the built-in camera and QR code reader in your cellphone or smartphone to scan and decipher the code.

Denso Wave Inc., a subsidiary of Toyota, invented the QR code system as a scanning device in 1994 to track components during the manufacturing of its automobiles. (See p. 341 of “Handbook of Augmented Reality,” 2011, edited by Borko Furht, Springer.) Businesses throughout the world now use them to identity and track products and direct potential customers to their websites.

According to an article on the Scambusters website (“5 Ways to Avoid a QR Code Scam”) the codes are “popping up everywhere — not just on labels [and on buses, business cards, on flyers and posters] and in magazines but also, for example, on some tourist monuments, providing instant details on the site being visited.”

A QR code on your business card allows associates to add your contact information to their phones. Businesses also use them to give directions to events and direct consumers to coupon sites.

Magazines and newspapers commonly use QR codes to help control their copy costs while still keeping the readers informed. For example, The Wall Street Journal used three codes in the main section of their September 13 edition: one that read, “Scan this code for continuing coverage of the Syrian crisis” and two to direct readers to “Scan a video ...” to learn more.

QR codes, compared to typical UPC barcodes, have more storage space for URL links, text and geo coordinates. For years, marketers have printed URLs on products to encourage consumers to visit sites. However, would-be customers have to write down the URLs and type them into their browsers on their phones or at home. No need to do that with QR codes.

UGLY SIDE OF QR CODES

Opportunistic fraudsters have developed several variations of QR code clickjacking. They substitute real QR codes with bogus ones. Victims who scan the fake QR codes are directed to malicious websites with realistic bogus screens. Then, as in any phishing scheme, victims are prompted to provide personally identifiable information (PII), which then fraudsters use for identity theft. Or, depending on the type of device victims use, they’re directed to malicious websites, which include malware that may be directly downloaded to the victims’ smartphones. Possible result? Online banking fraud.

SOBER PRECAUTIONS

According to Scambusters’ “5 Ways to Avoid a QR Code Scam,” here’s some advice:

Never scan a code box that doesn’t appear to be linked to anything else and has no accompanying text — for example, just stuck on a wall or floor.
Be wary of scanning codes in public places, such as transportation depots, bus stops or city centers.
Check first to see if a code is on a removable sticker. If so, don’t scan.
If you scan a code and find yourself on a web page that asks for PII such as passwords, don’t key in the information. Nothing is that important. You can always investigate the product later.
If you encounter a possible bogus QR code attached to a product, advertisement, poster or building, warn the owner of the site.
Use a scanner app that actually checks the website the QR code is directing you to before it takes you there. Smartphones that use the Android operating system are the most vulnerable. Secure reader apps are available. Just do a search for “secure QR reader app.”

According to the qrmedia website, Symantec is offering a new QR code scanner for Android phones from Symantec, Norton™ Labs Snap. Symantec claims that it “protects you, your mobile device, and your important Stuff from online threats that may come from QR Codes” by warning you of dangerous QR codes and blocking unsafe websites before they load on your device, according to “QR Code scanner protects from malicious QR Codes.”

The qrmedia site says the application automatically scans QR codes; and checks to see if they’re safe; blocks unsafe, fake or phishing sites; and stops online threats before a browser loads. We’ll see. No word yet on possible QR code blockers for iPhones.

And now, a few bonus scams!

ONLINE TELECOMMUNICATION SCAM

The Internet Crime Complaint Center (IC3) announced on May 8 that numerous telecommunication customers reported receiving telephone calls, supposedly sent by their carriers, which directed them to a “phishing site to receive a credit, discount, or prize ranging from $300 to $500.”

When a victim visited the fake website, a bogus realistic screen requested “the victims’ log-in credentials and the last four digits of their Social Security numbers.” When the victim entered the PII they were redirected to the actual website of his or her carrier and the fraudsters made changes to the victim’s account.

The IC3:

Urges the public to be cautious of unsolicited telephone calls, emails and text messages, especially those promising some type of compensation for supplying account information.
Recommends that if you receive such an offer, verify it with the business associated with your account before supplying any information. Use the information supplied on your account statement to contact the business.
Tells victims to immediately notify their telecommunication carriers and file a complaint with the IC3.

ONLINE PHOTO-SHARING PROGRAMS SCAM

On May 30, the IC3 reported that the FBI has seen an increase in cases of cyber criminals promoting their scams and compromising victims’ computers via online photo-sharing programs.

For example, a fraudster will advertise a vehicle for sale online but doesn’t provide a photo until an interested party requests one. The victim receives a link to a photo gallery or a photo as an attachment. According to the IC3, “the photos can/often contain malicious software that infects the victim’s computer, directing them to fake websites that look nearly identical to the real site where they originally saw the advertisement.

“The cyber criminals run all aspects of these fake websites, including ‘tech support’ or ‘live chat support,’ and any ‘recommended’ escrow services. After the victim agrees to purchase the item and makes the payment, the criminals stop responding to correspondence. The victims never receive any merchandise,” according to the IC3.

Malicious software can lock up a computer and, depending on the type of malware, can steal a victim’s PII and promote online identity theft-related frauds, including the banking variety.

The FBI provides the following tips for consumers to protect themselves from this scam:

Be cautious if you lose on an auction site and the seller contacts you later saying the original bidder fell through.
Make sure websites are secure and authenticated before you purchase an item online. Use only well-known escrow services.
Research to determine a car dealership’s veracity and how long it’s been in business.
Be wary if the price for the item you’d like to buy is severely undervalued; if it is, the item is likely fraudulent.
Scan files before downloading them to your computer.
Update your computer software, including the operating system, with the latest patches.

Keep your anti-virus software and firewalls current to help prevent malware infections.

If you’ve fallen victim to any of these scams, file a complaint with:

Internet Crime Complaint Center.
Federal Trade Commission.
FBI.
Local law enforcement agencies.
Local media.

MORE HELP FOR THE COMMUNITY

I hope you’ll share this information with your family, friends and clients and include it in your outreach programs. We must step up our efforts to educate the public on how to safeguard their devices to avoid having their sensitive information stolen, which will reduce identity theft.

Phishing schemes are on the rise and cyber criminals are tricking consumers out of their resources with an ongoing onslaught of new activities. An educated community will help curb the damage.

Please contact me if you have any identity theft issues you’d like me to research and possibly include in future columns, or if you have any questions related to this column or any other identity theft questions. I don’t have all the answers, but I’ll do my best. Stay tuned!

Begin Your Free 30-Day Trial

Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.

Learn More Already a member? Sign In