Fraudsters have started exploiting a new loophole that lets them steal money from Russian bank accounts without touching a card. The Bank of Russia officially confirmed this scam, which hinges on a deceptively simple QR code trick rather than any card data.
The technique relies on a QR code withdrawal service offered by some banks. In practice, a customer uses the bank’s mobile app to generate a code for the cash amount they want. That code is then taken to an ATM, where the money is dispensed through the bank’s interface, bypassing a traditional PIN entry.
In many cases, the fraud begins with a caller posing as a bank representative. The scammer convinces the victim that a withdrawal looks suspicious and urges them to share a screenshot of the QR code to cancel the transaction. Trusting the caller, the target sends a code that enables the attacker to withdraw funds from the nearest ATM.
Banking officials warn that the QR code in this scheme functions as an instruction to the bank system to disburse cash without requiring a PIN. The key safety message is to never share a QR code with strangers, avoid storing the image on phones or in physical printouts, and remember that genuine bank staff will not request QR codes from customers.
Public advisories emphasize a broader pattern of awareness, including prior warnings about data theft and social engineering. The evolving nature of these scams underscores the importance of vigilant banking practices, especially for customers who rely on mobile banking features and QR-based transactions.