Let’s revisit the adage that says that in life there are two certainties, death and taxes, by adding a third element: computer scams. Because even the Olympic Games that open next week in Paris are suffering from this, via what is called the quishingor QR code phishing.
Let’s call it the risks of living in the digital age… and the all-mobile age. Because the organizers of the Olympic Games (OG) thought they were getting a good deal by posting stickers all over the City of Lights with one of those famous black and white square codes that you just have to scan with your phone’s camera to go directly to the desired website or mobile application.
Olympic-caliber phishing
In the context of the Olympics, it was seen as an easy way to direct the public to the online ticketing, to the Olympic site map or to the connection code to the nearest Wi-Fi network. In this age where everyone carries a smartphone in their pocket, but foreign tourists do not necessarily have a mobile data plan accessible while roaming, it seems quite natural, indeed.
Well, here it is. These square codes, called QR codes, have recently been infected by a wave of fraud attempts. People with obvious bad intentions produce fake QR codes, using the same colors and typology as the QR codes they want to imitate, and program them so that they send their potential victims to fake transactional sites.
You can guess what happens next, since from there on it’s pure phishing: the site in question asks its visitors to provide their personal information, including their credit card information, which it then quickly passes on to its operators.
In France, cyber defense organizations have observed a significant increase in cases of QR code fraud – unsurprisingly, the French call it quishing, but the correct Quebec word has yet to be invented – in recent months, on the eve of the Olympic Games.
A few days ago, at least one video went viral on social media showing how fake QR codes were pasted over legitimate QR codes on Olympic posters that are scattered all over Paris. It is visually impossible to distinguish a fake QR code from a real one, since the human eye is unable to decipher its meaning. It is only once you arrive at your destination, on the website where the code in question leads, that you can see the deception.
In Paris, at least 800 cases of QR code scams have been reported in recent days, proving that the phenomenon is not as marginal as it may seem.
Real digital
The expression quishing comes from the contraction, in English, of QR code phishingQR code phishing. The phenomenon is emerging as QR codes become an increasingly popular and common technology.
It took a long time for this technology to take off. However, it very effectively bridges the gap between the real world and the digital world.
The QR code was invented in the 1990s, around the same time that engineers at Ericsson in Sweden created a wireless protocol they dubbed Bluetooth, after Scandinavian king Harald Gormsson.
The QR code is a subsidiary of the Japanese car manufacturer Toyota. Already in the mid-1990s, the QR code was promised a bright future, without knowing exactly how it would end up being adopted. In factories, it has been used for about thirty years by tons of companies to speed up the sorting of their parts or to speed up assembly lines.
It took the pandemic for the QR code to become part of the general public’s daily lives: this small monochrome square is now being digitized to read the menus of bars and restaurants all over the world. We take our seats on a plane, in a concert hall, or elsewhere by presenting our mobile screen to an attendant who simply has to scan it.
Creating a QR code is disarmingly simple. It’s free, too. And for crooks who don’t bother with moral or ethical considerations, it’s an extremely tempting new avenue to try to scam the public.
Especially since the means to protect yourself from this new form of phishing are quite limited: basically, avoid scanning a QR code whose origin you don’t know. Easier said than done. In the middle of Paris, the posters containing these misleading signs seem to come from the organizers of the Olympic Games.
One way to avoid falling into this trap is to make sure that the web address that a code you scan directs you to is valid.
The best way to avoid QR code scams is… to avoid QR codes.
But in this game, you should avoid the entire Internet. Oh, and turn off your phone’s Bluetooth antenna, too. Fraudsters know how to exploit this wireless protocol to get into your phone without your knowledge.
Otherwise, we wish you a great summer vacation!