Fraudsters can use QR codes for various purposes. For example, they can trick a bank client into sending it to them in order to withdraw cash from an ATM. They can also try to replace QR codes in stores, restaurants, and rental services. This was stated by Maxim Semov, Chairman of the Committee for Improving Financial Literacy of the ARB, expert of the NIFI project of the Ministry of Finance of Russia "Myfinance.rf".
He noted that many banks offer a service for withdrawing cash using a QR code. This is very convenient: you don't need a plastic card, and you don't need to touch the buttons and screen of the ATM.
However, social and criminal engineering intervened here as well: fraudsters began calling bank clients and, posing as employees of these banks, reported that a loan had just been issued to the client and a QR code had been generated to withdraw the entire loan amount at an ATM. The valiant security service stopped everything, but the client himself must stop the withdrawal of cash using a QR code. To do this, he needs to urgently go to the bank's application, generate a QR code and send a screenshot of it.
Thus, if people who believed the caller created a QR code and sent its image, the attackers could immediately use the ATM, choosing the option "Cash withdrawal using a QR code". After all, this operation did not require any additional confirmations.
In addition, Semov mentioned other cases in which attackers can use QR codes: replacing a static QR code at a point of sale when it is applied to a sticker and not generated again for each transaction; using QR codes in restaurants to pay tips; using QR codes in advertisements that initiate debiting of funds without confirmation.
There are known cases when fraudsters replaced QR code stickers on rental scooters, bicycles – in general, there are, alas, many prospects for the development of fraudulent schemes in this method.
Earlier www1.ru reported that new laws aimed at protecting citizens from cyber fraud will come into force in Russia on June 1, 2025. These changes will affect the procedure for changing the password on the "Gosuslugi" portal and will restrict the transfer of SIM cards to third parties.
Read more materials on the topic:
Fraudsters have come up with a new way to deceive Russians with foreign accounts
Why do victims call fraudsters themselves? A clever trick of fraudsters revealed
Fraudsters have occupied dating sites: an expert told how to protect yourself from fraudsters
Hackers can crack passwords up to seven characters in seconds