Cashless Future Meets A New Threat

In the digitalised age, QR codes have become a widely used means – enabling quick payments, ticketing, and information sharing. This trend has also enabled the emergence of “quishing,” a scam that is growing quickly and posing serious risks.

The revolution of QR codes in Vietnam

According to Dan Viet (1), Vietnam’s fintech market is booming, led by big players like Momo, Viettel Pay, VN Pay, Zalo Pay, and other online banking platforms, dominating the mobile payment ecosystem. In 2023, cashless transactions reached $9.89 trillion VND, which is 23 times the nation’s $430 billion VND in GDP, with QR code payments jumping more than 170%.

In early 2024, there was a significant increase in cashless transactions, especially via QR codes. They replaced cash payments in many situations, dominating their cost-effectiveness and ease of use for all ages. With cross-border QR transactions between Vietnam and other countries in the region, now, QR payment is allowed in Singapore via Zalo Pay (2). QR codes now are their top choice of payment and sharing info.

Unfortunately, where there is a profit, here come the criminals. They are now deploying a new tactic: “quishing.”

What is “quishing”?

“Quishing”—a combination of “QR code” and “phishing”—is a form of scam that uses malicious QR codes to trick victims into accessing fake websites, installing malware, or conducting unwanted transactions (3).

Scammers skilfully exploit the trust many place in QR codes, which are now common and perceived as safe tools for fast payments. When scanned, the QR code can redirect them to malicious websites, steal sensitive details, or gain access to private devices. Clearly, malicious websites often look legitimate and may replicate exact information found on a business’ real website; that’s why they can blind the eyes of innocent victims.

Common “quishing” tactics

Understanding these tricks can help individuals avoid becoming victims of this emerging type of scam.

Fake QR codes in stores/ public places

Placing or replacing payment QR codes in restaurants, bus stations, etc., with malicious ones to steal money when users scan and pay conveniently without hesitation.

It not only causes damage to the total revenue of the business owners but also leads the users to fall into a trap as their bank accounts are being attacked.

Deceptive QR codes in emails and messages

There is a situation where they replicate well-known companies or power supply companies, where QR codes are sent with invoices via SMS, email, etc., to inform customers that they have a payment or an important announcement.

When customers scan the QR code, they will be redirected to phishing sites or requests for money transfers.

QR codes on fake products and documents

Printing and placing malicious QR codes on product packages, virtual lottery tickets, or fraudulent documents to lure victims with false claims of prizes or offers, leading them into dangerous sites or stealing personal information.

Man-in-the-middle attacks via QR codes

Attackers intercept the QR code scanning process, redirecting users to a data collection page before they reach the authentic website.

Last year, a Hanoi court was prosecuting young defendants for fraud and money laundering related to a Cambodian-based crime ring. The group, Jinbian, launders illegal funds from online scams through payment systems like “777pay”. Victims lost over 19 billion VND, believing they could recover their money. The case reveals a sophisticated international network involved in large-scale illegal money laundering (4).

Potential consequences of quishing for businesses

The impacts of quishing extend beyond individual fraud, posing significant threats to businesses:

Data breaches:

– Sensitive information exposure: Fake QR codes redirecting to wrong login pages can lead to personal, financial, or corporate data leaks.

– Loss of confidentiality: When business strategies, client information, or internal communications are exposed, it damages trust and violates data protection regulations.

Financial loss:

– Direct theft: Attackers can trick employees or customers into transferring money or sharing banking details.

– Fraudulent transactions: Unauthorised transactions or transfers using stolen credentials.

– Sector-specific scams: For example, in hospitality, spoofed payment links or manipulated orders can cause financial damage.

Reputational damage:

– Customer trust erosion: Data breaches or scam incidents can severely damage customer belief, making them hesitant to make purchases or engage with brands.

– Brand damage: No partners want to work with a company that cannot secure its data. Negative word-of-mouth resulting from security failures may harm company’s reputation, affecting future business.

Operational disruption:

– Business interruptions: Dealing with security breaches or phishing incidents can cause disruptions to normal operations. Businesses must waste time responding to the incident, investigating, and solving the issues. Additionally, key vendors or partners suffering the quishing attack can impact the entire supply chain and cause wider disruptions, leading to unimaginable impacts.

Protect your business from quishing

Conclusion

More individuals and companies turn to QR codes for their ease of use. However, the modern convenience also comes with threats; namely, organisations must also address risks like “quishing”. To combat this, businesses need to invest in active training for employees on security policies, strengthen IT defences, and promote safe QR code usage.

References:

Cashless Future Meets A New Threat – Quishing