What is the Reverse QR social engineering attack and how to protect from it

A few days ago Spain police sighted a new type of scam that has been called Reverse QR  Scam. A fraudulent technique with which scammers steal money through this code making their victims believe that they are actually charging a certain amount. The police had detained a scammer who had applied this methodology. It is a type of scam that is carried out “with social engineering techniques” and “intends to steal the personal and bank details of the victims.

To know how this deception works, it is worth remembering that a QR is a unique code optical label that contains information and presents a square format, since it is represented by different modules in this way. This code is used to, among other things, access certain places, such as a concert hall or a cinema as a method of WiFi authentication or to make payments. Due to the amount of information it may contain, the various functions it offers, and its massive implementation in different establishments and services, cybercriminals have found the perfect method to carry out their fraudulent attacks. In this way, they have used these QR codes for their benefit and have carried out the technique known as ‘reverse QR’ a social engineering technique.

To do this, the scammer showed the victim a QR code that allegedly belonged to his bank, although turned out to be a forged code that, instead of paying, he requested money. Thus, although the waiter at this establishment thought that the author of the events was paying what had been taken, he was actually there paying for the consumption himself. In addition to obtaining personal data and information from the victim, it has been learned that with the ‘reverse QR’ it also manages to get hold of the complainant’s bank details.


 To avoid these scams, citizens have to take a series of security measures, such as carefully reviewing those physical QRs that may have been manipulated or superimposed on the original codes. It is also important to analyze the URL to which you direct this code and determine if it is a link suspected of being false. There are different applications They offer a preview of the URL content, to find out what it presents before opening it, like Link Preview Generate or URLVoid. In addition, it is convenient to ensure that the website you want to access always complies with the protection and safe browsing standards, such as the popular ‘HTTPS’. On the other hand, other applications can be used security checks before activating the QR code on devices with Android or iOS operating system