Beware new scams involving QR codes in France

We look at how to avoid being caught out as more and more fraudsters use this method to trick people

The codes are now commonplace across France, leading scammers to take advantage
Published Modified

People in France are being warned of a new scam involving ‘QR’ codes on restaurant menus and other everyday places, which hackers are using to steal personal data, encourage fake payments or install malicious software onto victims’ phones.

The scam has been dubbed ‘Quishing’, a portmanteau of QR code and phishing, as a similar tactic is employed to classic email scams.

The Prevention and Protection Office of the National Cyber Unit (UNCyber) and the Gendarmerie are running a national awareness campaign about it after a significant increase in the number of fraudsters using the method as QR codes grow in use.

“Criminals use [QR codes] to recover personal data, passwords, install a virus on a person’s phone, or embezzle money,” said Lieutenant Eddy Rouf, head of the UNCyber unit.

How do the scams work?

QR codes are digital links that you scan with the camera of a smartphone that send you to an internet site or prompt you to download something onto your phone.

They are used on restaurant menus, advertisements, or even as a link to a website, often to pay for a service digitally.

They became increasingly popular during Covid as a means to avoid customers touching the same materials.

Now they are commonplace, with both public services and private companies using them.

Scammers stick fake or fraudulent QR codes over legitimate ones in public (on restaurants, adverts, posters, shop windows, etc), taking care to make it look as if it is part of the original advert.

Due to the look of QR codes (a mixture of small black and white squares in a larger square), it is impossible to know where scanning a code will lead aside from using the information of the poster or advertisement next to it.

When people scan these codes, they can be sent to a fake website that mirrors an original – one common scam is to plaster a fake code over the authentic one at electric car charging points, leading to a website to ‘pay’ to charge.

The website is fake with payments being made directly to a fraudsters pocket.

Read more: Warning over QR code scam with electric car charging in France

Other false QR codes, usually stuck over legitimate ones for information services or company advertisements, will prompt you to directly download an app or document onto your phone.

However, instead of downloading the original safe file as advertised, you will install a virus or malware on your phone, which could steal your data.

How can I avoid these scams?

“There are currently more than 800 criminal proceedings underway involving QR codes, most of which are classed as scams," said Mr Rouf.

“There has been a significant increase in these incidents in recent months, because it's very easy to make a QR code, you don't need any technical skills,” he added.

The most important thing to do before scanning a QR code is to check it is legitimate.

If you are scanning a code from a public place (restaurant, shop window, etc) check that a fake code has not been glued on top of the original advert.

Secondly, when the QR code sends you to a website or download link, check the URL website address to make sure it is legitimate.

To replicate an official website URL, scammers will misspell words or add hyphens to website names.

Finally, check if the website itself is legitimate, particularly if it prompts you to pay or download something. Fraudsters are increasingly skilled at copying the look of official websites, but it is still possible to tell if it is fake, using the URL code and page layout.

Read also

Signature fraud over Paris flats costs owner over €1 million

Large-scale Linky meter fraud discovered in France