Insurance scams via QR codes: how to recognise and defend yourself

Threat actors can abuse QR codes to carry out sophisticated scams, as reported by the Italian Postal Police in its recent alert.

As is well known, QR codes are two-dimensional barcodes that can be read with a smartphone or other hand-held device. They are widely used to access information, services, or online payments quickly and conveniently. However, they can also hide scams, as denounced by the Italian Postal Police in its recent alert.

The Postal Police has issued an alert to warn citizens against insurance scams using QR codes. In practice, fake insurance operators contact victims through calls, messages, or sponsorships on social networks, offering policies at advantageous prices. The scammers then send the victim a QR code that is supposed to be associated with the car’s number plate, to be shown at the authorised betting shops to make the payment. But in reality, the QR code does not contain the details of the insurance agency, but those of the fraudster, who then receives the money for the supposed policy by carrying out the scam.

The typical scenario in detail

Clients approach supposed intermediaries posing as insurance agencies via fake websites or misleading advertisements (often at the top of search engine sponsored ads), filling in forms with their license plate and other personal data, only to be contacted later with offers of discounted policies (the scammers try to force the immediate purchase of the policy by placing a limited validity on the offer).

After the first contact via instant messaging channels, further documents are then requested and a quote is provided. Following this, the fake insurer, refusing other methods of payment, alluding to security reasons, provide a payment slip with a QR code containing the payment details and generated through legitimate circuits, distributed throughout the country at authorised points of sale, with the beneficiary’s details in the name of a natural person and not a real insurance agency.

Once the payment has been made, the fraudulent operators can also provide a counterfeit policy before making their traces disappear.

How to defend yourself against these scams

The Postal Police recommends to beware of overly tempting offers and to always check the seriousness and reliability of the interlocutor. In addition, they advise people to be wary of those who propose QR codes as the only method of payment and to check that the recipient of the payment corresponds to a genuine insurance company.

In such circumstances, one must be very careful and wary of making payment and only use official channels of recognised insurance agencies and companies. Online companies do not use generic domains or channels such as WhatsApp or Telegram. Often, scam sites have very similar names to well-known insurance companies with the same logos, images or other distinctive elements.

Finally, it is urged to promptly report any suspicious or fraudulent incidents to the competent authorities.

Although QRishing is nothing new, as is always the case, the perpetrators of threats have no limits to their imagination and always come up with new baits.

In Italy, via the IVASS website (https://www.ivass.it/consumatori/proteggi/index.html), it’s possible to consult the complete lists of Italian and foreign insurance companies and authorised intermediaries and a constantly updated list of fraudulent websites.

Credit:

About the author: Salvatore Lombardo (Twitter @Slvlombardo)

Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, QR codes)

文 » A