The Quick Response or QR code is essentially an advance on the barcode, offering a square made up of black and white dots which are able to contain more information that the conventional barcode.
The issue concerns anyone selling on the internet, for example on one of the many online second-hand markets. In order to receive payment, sellers commonly provide the buyer with a bank account number. The buyer is than able to transfer money to the account, and the transaction is complete.
However, some fraudsters instead send the seller a QR code, which if activated can – together with the bank account number already provided – open up the seller’s account allowing the buyer access.
“You then run the risk that large sums of money can be taken from your account,” warned Olivier Bogaert of the Federal Computer Crime Unit.
The technique appears to have come to Belgium from the Netherlands. ING in the Netherlands has already warned its customers of a QR code which can link a second user to your account via the ING smartphone app.
“Take your time and be extremely careful whenever you receive a payment request with a QR code,” Bogaert said. “A manual transfer is always safer, as you then avoid coming into a fake payment environment, which can often be difficult to recognise.”
Meanwhile, the blog Malware Bytes offers some tips for anyone presented with a QR code in unusual circumstances:
If you are using QR codes to make a payment, pay close attention to the details shown to you before you confirm the payment. Use QR code payments only in circumstances that you consider normal. Don’t be rushed or talked into paying in a way that you are not completely familiar with. Alert your bank and work with them to change your credentials as soon as you suspect foul play. Treat a QR code like any other link. Don’t follow it if you don’t know where it originated from, or if you don’t fully trust the source.