iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
COVID-19 check-ins got all of us used to scanning QR codes to enter places like restaurants and bars, and even now, many such places are still taking advantage of QR codes to allow ordering straight from the table. In the space of a year, QR code technology has become widespread and accepted by the general public.
But the newfound trust in the technology has also created a new way for scammers to fleece their victims.
A Singaporean woman recently found this out to her cost after scanning what looked like a QR code that would offer discounts on milk tea at her local bubble tea shop. She scanned the code, downloaded the proffered app and filled out a survey, no doubt thinking of the milky treat in her near future.
However, overnight, the downloaded app — which was, in fact, malware — activated, took over her device, and transferred $20,000 out of her bank account.
And this woman is far from the only victim.
“Besides website pop-up banners, which are most common, pasting bogus QR codes outside F&B establishments is another cunning way to hook victims as consumers may not be able to differentiate between legitimate and malicious QR codes,” Beaver Chua, head of anti-fraud at OCBC Bank, told The Straits Times this week.
Hopeful scammers are also posting similar notes near actual scan-to-pay signs and near traffic lights, hoping to entice even more victims.
The malicious app, when installed, asks users to give it access to the phone’s camera and microphone, as well as to enable the Android Accessibility Service — which is normally used by people with disabilities, and that lets the scammer see and even control the device’s display. The scammer can then harvest login details of the device, and other apps, particularly online banking apps.
By having control of a phone’s camera, scammers can monitor victims and choose the right time to act. By waiting until night, when victims are sleeping, they can act with near impunity.
“This scam is so insidious because scammers take over the victim’s phone,” Chua said.
“And because victims lose control of their internet banking account, they won’t even know when their savings have been completely wiped out.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
