BSP issues alert on

new QR code-fraud

TAGBILARAN CITY, Bohol (PIA)—Bangko Sentral ng PIlipinas (BSP) has issued an alert for people who may have been technologically overly confident, they miss out the digital payments details when paying, via Quick Response (QR) code.

BSP Banking Officer V Dr. Gregorio Baccay III, during a briefing with information officers and banker officials of the Bohol Bankers Association at the Reynas Garden, revealed yet another of scammers’ modus involving the use of QR codes.

Baccay said the new modus is called “quishing” which is short for QR phising.

Quishing is a scam where scammers use malicious QR codes to trick people into visiting fake websites, downloading harmful content or sending cash, the bank official explained.

Instead of sending a suspicious link which was an old modus that has already been exposed, scammers simply place a QR code on posters, emails, receipts, or messages.

When an unsuspecting person scans the code, it leads to sites that steal information, a fake log-in page like an e-wallet, fake bank log-in or a malicious malware that sends virus to your phone.

And because the QR code hides the actual URL, discerning the danger is much harder before scanning.

The real danger is when scammers replace a merchant’s generated QR codes with their own generated QR codes, that when one scans the code, the details that come out are not of the merchant, but of the scammer’s account.

For the unsuspecting, instead of paying to the merchant, the payment then goes to the scammer’s account.

So how does one get protected from quishing?

BSP authorities said only scan QR codes from trusted and verified sources, check if the QR code looks altered or replaced, before proceeding with any transaction.

Also pre-view the URL before opening, as most phones show it.

Finally, the bank official advised: don’t enter sensitive info on sites opened via QR codes, and always protect your personal information, and that is the reason why it is called personal.

Baccay, who presented for the BSP the recent regional economic highlights, also detailed the cyber hygiene practices for consumers especially those who have slowly transitioned into the digital payments system as the government broadens its digitalization campaign.

Quishing is the most recent modus that scammers use, after SMishing has been exposed to the public.

Smishing is a type of scam that uses SMS (text messages) to trick people into giving away personal information, money, or access to accounts, Baccay shared to information officers.

Using text messages, scammers pretending to be from a trusted source, such as a bank, delivery services, government agencies, e-wallets or telecom providers, send urgent text messages, urging immediate action like replying, or clicking on a link where the person’s personal Identification number (PIN), one time password (OTP) or password is asked.

In addition to this, Baccay told the information officers and bankers of a recent BSP circular which now sets aside the or discourages the reliance on OTPs as the primary authentication method for digital banking—mainly because OTPs (especially via SMS) are vulnerable to phishing and SIM swap fraud.

BSP Circular No. 1160 (2022) encourages banks and e-money issuers to adopt stronger authentication measures beyond OTPs and asks them to promote multi-factor authentication (MFA) using more secure methods like biometrics (fingerprint, face recognition), device-based authentication and in-app approvals instead of SMS OTP. (PIAbohol)

QUICK AS QR CODING. BSP baking officer Dr Gregorio Baccay shares alert to Boholano information officers about a new quishing modus where a QR code is also used to direct the flow of money from a supposed payment to a merchant into the personal account of the scammer. (PIAbohol)