Barcodes, phishing, and fraud: scams in the age of COVID-19

By Pierluigi - 12/15/2021

The COVID-19 pandemic has been going on for almost two years now. It would be inaccurate to suggest that the pandemic hasn’t upended many of our habits, not to mention our operational practices. Many areas around the world have experienced waves of lockdowns and re-openings. Add to that political controversy, economic uncertainty, and media hysteria. Throw in the sometimes questionable health guidance for good measure. Things haven’t exactly been easy.

As it turns out, scammers haven’t been standing idle either. They haven’t hesitated to harness ongoing fear, uncertainty, and doubt. And just like the most cunning tacticians, cyber scammers never let a crisis go to waste.

While many folks are gearing up (read: yearning?) for an almost-normal holiday season, let’s spotlight two particularly relevant scenarios. Barcodes, phishing, COVID, and fraud. In the cards and on the menu, as it were.

Very à propos for late 2021, wouldn't you say?

 

Fake restaurant menu scam

Many restaurants have ditched traditional physical menus as a result of the pandemic. A number of businesses have opted instead for a sticker system consisting of QR codes placed on restaurant tables. This has proven to be a mostly contact-free and effective workaround. Dine-in guests simply scan the barcodes with their smartphones. Once they scan the code, they can browse the restaurant’s menu online. One thing many people don’t realize is how easily cybercriminals can exploit this latest trend for malicious purposes.

How?

Scammers can simply slap their own malicious, modified barcode over the legitimate one. When an unsuspecting restaurant patron scans the malicious barcode, they are redirected to what they think is the legitimate menu, but is actually a fake website. From this fake website, scammers can attempt to launch any number of malicious phishing operations. These could include attempts to collect data, or to trick restaurant patrons into clicking on further compromising links, or performing harmful and unsecure actions.

 

So what should you do?

No doubt the situation is tricky. If possible, try to visit the address containing the menu by manually entering it into your web browser. (Ask your server for the address if need be!) At the very least, attempt to scan the barcode with an application that will reveal the full address of the website where the menu is located before you visit the page itself. Stay on your toes and pay close attention to details. In particular, make sure that the address shown is not a spoofed, altered or doctored variation of the establishment’s legitimate website. And if you’re directed to perform any additional action after reaching the site, such as disclosing personal information, avoid doing so and report it to your server or to the restaurant manager immediately.

fraud-restaurant-qr-code_uid61ba180446360
gift-card-fraud-1_uid61ba1065a7671

Fraudulent gift cards

A related scenario this holiday season involves hacked gift cards. This is another scenario where scammers exploit a barcode, often similar in appearance to the legitimate code originally printed on the card. The second barcode is often printed on a sticker intentionally applied over the original barcode printed on the card. Of course, the types of gift cards, barcodes, and activation mechanisms can vary between merchants. In most cases, the underlying scam works in much the same way, regardless of where it’s deployed.

 

How?

Typically, the cybercriminal places the illegitimate barcode or sticker over the legitimate code on the gift card. When the gift card is later activated by a genuine customer at checkout, the cashier typically scans the gift card and adds the funds to the code on the gift card. If the cashier and customer fail to be vigilant, they might not notice that the gift card has a barcode that has been tampered with, or that redirects to another card entirely. This allows the funds to be added to the scammer’s card balance instead. This type of scam has resulted in hundreds of millions of dollars in losses in the last year alone.

 

So what should you do?

One way to minimize falling prey to this scam is to carefully examine the surface of your gift card before applying funds to it. In particular, make sure that no alternative or secondary stickers have been added to the area where the barcode should be printed. If appropriate, ask the cashier or store representative to confirm that the code itself hasn’t already been activated by another user.