DIGITAL LIFE

Beware of quishing: fake QR codes steal your money

The gesture has become so natural that we don't even think about it anymore. You sit on a restaurant terrace, take your cell phone out of your pocket, open the camera and point it at the small black and white square stuck to the table. In a couple of seconds, the menu appears on your screen. This extreme convenience, however, is being transformed into a silent weapon. The National Republican Guard (GNR) recently issued a warning about a new wave of scams in Portugal that exploits exactly this blind trust: "quishing".

To understand the dimension of this threat, it is useful to go back in time a little. The QR (Quick Response) code is not a new technology. It was invented in 1994 by the Japanese company Denso Wave for a very specific purpose: to track automotive components during the manufacturing process. Unlike traditional barcodes, which store information only in a horizontal line, the QR code saves data in two dimensions (horizontal and vertical). This allows it to contain a substantial amount of information, such as a complete web address.

The pandemic catapulted this technology into our daily lives, replacing physical menus, paper tickets, and payment terminals. The big technical problem is that a QR code is essentially "blind" and passive; it doesn't have any native security layer or encryption to validate the destination it's sending you to.

The term "quishing" comes from the fusion of "QR" and "phishing" (the classic social engineering technique used in fake emails to fish for your data). However, while a fraudulent email often ends up in the spam folder or has obvious spelling errors, a malicious QR code is visually indistinguishable from a legitimate one.

The attack usually begins in a surprisingly analog way. Criminals generate a code that points to a server they control. Then, they print this code on a high-quality sticker and physically stick it over a real code in a public space. Imagine a municipal parking meter. You park your car, see the signal to conveniently pay with your cell phone, and scan it.

When your camera processes this counterfeit sticker, your screen is immediately redirected to a webpage that perfectly mimics the parking company's official website. Unsuspecting, you enter your credit card details to pay a two-real fee. In reality, you've just given a scammer direct access to your bank account.

Beyond the fake payments, the danger extends to infecting the device itself. Some of these links are programmed to force the download of malicious software. Once installed, this malware operates invisibly on your smartphone's processor, capable of intercepting passwords, reading your messages (including two-factor authentication codes sent by your bank), and monitoring your activity. A simple moment of distraction can cost you your digital identity and your savings.

How to protect your phone and your wallet...The success of this scam doesn't depend on complex flaws in your device's operating system, but on each user's behavior. We've been conditioned to associate these squares with speed and usefulness, lowering our defenses. To navigate this scenario without compromising your safety, you should adopt a more skeptical stance.

Before scanning any code in a public space, apply these basic rules(below):

Physically inspect the surface: Run your finger over the code to check if there is a sticker superimposed on the original material of the poster or machine.

Analyze the link preview: Nowadays, any smartphone camera shows the web address before opening it; read the URL carefully and look for spelling errors or domains that do not match the official brand.

Evaluate the context: If you find an isolated code on a utility pole promising big prizes or free Wi-Fi access, the likelihood of it being a trap is enormous.

Prioritize official apps: For mobility payments, such as scooters or parking meters, directly open the app of the service you already have installed, instead of scanning generic codes posted on the street.

Technology is designed to make our routine easier, but convenience should never outweigh the protection of your personal data. An extra second of attention is all you need to avoid a huge headache.

by mundophone