SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
WhatsApp and QR codes the next scam threat - report
Thu, 26th May 2022
FYI, this story is more than a year old

KnowBe4 has warned it expects to see an increase in QR Codes and the WhatsApp chat platform being used for phishing and other scams.

“We've seen a spike in smishing (phishing via SMS) attacks over the last 12 months with scammers really leveraging fake delivery SMSs, in particular, while we struggled through extended lockdowns last year," says Jacqueline Jayne, security awareness advocate APAC at KnowBe4.

"Now we're seeing these attacks move onto the WhatsApp platform, so we're urging everyone to be extra vigilant," she says.

In addition, pandemic lockdowns saw a surge in use of QR codes from checking in to venues to accessing paperless menus. As with most things, once they begin to gain a bit of popularity, criminals move in to see how they can manipulate the situation to their advantage.

“Recently, we have seen fake QR codes stuck to parking meters enticing unwitting drivers to scan the code, and hand over their payment details believing they were paying for parking, whereas they were actually handing over their payment information to criminals," says Jayne.

“We saw scams in Europe last year (which means they'll be here soon) where the bad guys were using malicious WhatsApp ads, which offer a $250 coupon for a well-known retailer, in exchange for a short survey. The invite looks like it comes from a friend on WhatsApp,” she says.

"A similar strain installs a malware on the phone, which looks like a software update, but steals all the contacts, phone numbers and email addresses - and if they can find any, passwords and banking credentials."

Jayne says users of WhatsApp and similar messaging services are more likely to view messages as trustworthy, since they appear to be coming from an acquaintance.

"Closed-group instant messaging and social media communities don't suffer from spam in the same way that your email account does, because you can set up your account so that only approved contacts such as friends and family can message you in the first place," she says.

"That means, however, that you're more inclined to trust messages and web links that you do receive, because they generally come from someone you know."

Jayne adds, “You should be suspicious of unsolicited or strange messages from contacts, especially if the messages sound urgent or try to get you to click on a link.

"Never trust messages simply because they come from a friend's account. Just as importantly, if a weird message from a friend's account makes you think they've been hacked, don't message them back via the same service to warn them," she says.

"If you're right, your real friend will never see the warning, and you will have tipped off the crooks that you are onto them. Contact your friend some other way instead.”

Staying safe 

If you receive a suspicious message on WhatsApp, follow these steps to stay safe:

  • Double check the sender. Just because someone claims to be a family member or friend it doesn't mean they are who they say they are.  
  • Consider the request. Is this a common request or one which the person would actually make of you?  
  • Is it urgent? Criminals will use different tactics to create a sense of urgency, such as claiming they need money for a medical procedure, to bail them out, or to travel safely home.  
  • As a general rule of thumb, if a message or phone call is received that asks you to take urgent action, particularly over the computer to send money or gift cards - do not comply. Nothing bad will come from taking a few minutes to contact a trustworthy person directly and double-checking.  

Fortunately, in relation to QR codes, in order for these scams to be successful, criminals have to physically tamper with or place their own QR code, which comes at a risk to them. Also, none of these will automatically trigger an action on a phone, rather it will display a notification as to what the intended action is. So just like email phishing, always be mindful and vigilant whenever payments, credentials or personal details are involved online.