After scams where targets are coaxed to give OTPs and passwords, fraudsters have now hit upon a new scam: Using QR codes.
The fraudster engages the target as a buyer or a seller and shares a QR code to pay an advance to formalise the deal. The QR code is pre-loaded with a large amount of money. The fraudster then asks the target to use the 'Scan QR code' option on the app, after which he or she is directed to proceed with the payment. After clicking on 'proceed,' the target is asked to enter the UPI PIN and a large amount of money is deducted.
The target usually does not notice the address of the link. Besides, it takes the user to the 'Proceed' option directly. Some platforms like OLX urge the user never to scan any QR code or enter UPI PIN to receive payments from other users.
Fraudsters have developed several variations of the QR code click jacking. They substitute real QR codes with bogus ones. Victims who scan the fake QR codes are directed to malicious websites with bogus screens. After this, similar to any phishing scheme, victims are prompted to provide personally identifiable information, which the fraudsters use for identity theft.
"With improving technology, the chances of theft have increased. In January alone, in 15 days, there were nearly eight cases at the Cyber Crime Police Station," said ACP S. Harinath of the Rachakonda police. "When you are scanning a QR Code, check whether it is showing 'send' or 'in Hyderabad receive', instead of just clicking to 'proceed," the official said.
Cyber crime expert Nallamothu Sreedhar said, "Since the fraudster uses a phishing page, one must never scan a code box that doesn't appear to be linked to anything else and be ware of scanning codes in public places, such as transportation depots, bus stops or city centres".
He advised using a scanner app that checks the website the QR code. Android phones are the most vulnerable, he said. "If the code of the scanner is on a removable sticker, do not scan," he said.