QR codes and chat and messaging platform WhatsApp are increasingly being used for phishing and other scams, warns security awareness training and simulated phishing platform KnowBe4.
“We’ve seen a spike in smishing (phishing via SMS) attacks over the last 12 months with scammers really leveraging fake delivery SMS, in particular, while we struggled through extended lockdowns last year. Now we’re seeing these attacks move onto the WhatsApp platform so we’re urging everyone to be extra vigilant,” comments KnowBe4 security awareness advocate APAC Jacqueline Jayne.
As pandemic lockdowns saw a surge in use of QR codes to check in venues and to access paperless menus, criminals saw an opportunity how to manipulate the situation to their advantage.
“Recently, we have seen fake QR codes stuck to parking metres enticing unwitting drivers to scan the code, and hand over their payment details believing they were paying for parking, whereas they were actually handing over their payment information to criminals,” Jayne says.
“We saw scams in Europe last year (which means they’ll be here soon) where the bad guys were using malicious WhatsApp ads, which offer a $250 coupon for a well-known retailer, in exchange for a short survey. The invite looks like it comes from a friend on WhatsApp,” warns Jayne.
“A similar strain installs a malware on the phone, which looks like a software update, but steals all the contacts, phone numbers and email addresses – and if they can find any, passwords and banking credentials.”
The downside is users are likely to view the messages as trustworthy since they appear to be coming from an acquaintance.
As a result, users are more inclined to trust messages and weblinks they receive because they come from someone they know.
“You should be suspicious of unsolicited or strange messages from contacts, especially if the messages sound urgent or try to get you to click on a link. Never trust messages simply because they come from a friend’s account,” Jayne adds.
“Just as importantly, if a weird message from a friend’s account makes you think they’ve been hacked, don’t message them back via the same service to warn them. If you’re right, your real friend will never see the warning, and you will have tipped off the crooks that you are onto them. Contact your friend some other way instead.”
If users receive a suspicious message, they should follow these steps to stay safe. KnowBe4 recommends:
1. Double check the sender. Just because someone claims to be a family member or friend it doesn’t mean they are who they say they are.
2. Consider the request. Is this a common request or one which the person would actually make of you?
3. Is it urgent? Criminals will use different tactics to create a sense of urgency, such as claiming they need money for a medical procedure, to bail them out, or to travel safely home.
4. As a general rule of thumb, if a message or phone call is received that asks you to take urgent action, particularly over the computer to send money or gift cards – do not comply. Nothing bad will come from taking a few minutes to contact a trustworthy person directly and double-checking.
Fortunately, in relation to QR codes, in order for these scams to be successful, criminals have to physically tamper with or place their own QR code, which is a risk to them.
Also, none of these will automatically trigger an action on a phone, rather it will display a notification as to what the intended action is. So just like email phishing, always be mindful and vigilant whenever payments, credentials or personal details are involved online, KnowBe4 warns.