A new fraud scheme leveraging QR codes has been circulating, and the Central Bank of Russia has publicly highlighted the details on its official website.
The central bank warns that scammers can withdraw funds from victims’ accounts even without exposing card numbers or PINs. Some banks now offer a withdrawal service that uses a QR code. In this setup, a customer can generate a code within a mobile banking app for a specific amount, then present it at an ATM to obtain cash. Criminals quickly began exploiting this capability.
In many cases, fraudsters pose as bank staff over the phone, telling customers that there is an attempt to withdraw money without permission. They then request that the customer send a QR code to supposedly cancel the transaction.
The rationale used by the criminals is that victims may not grasp the technical details of QR codes and interpret the code as simply a decorative image. Once the attacker receives the code, withdrawals can be completed from an ATM without requiring a PIN.
The central bank explains that in reality the QR code acts as an instruction for the bank to process a cash withdrawal without a PIN. Customers are reminded that bank employees would never request QR codes from clients, and QR codes should not be shared with strangers or saved on phones or as printouts.
On February 16, Elvira Nabiullina, head of the Central Bank of Russia, stated that Russian credit institutions bear responsibility to customers for money returned after fraud. Earlier in January, President Vladimir Putin directed the Cabinet and the central bank to explore mechanisms to compensate for funds stolen by fraudsters.
Nabiullina expressed support for the president’s initiative, noting that banks must be accountable to their customers. She also emphasized that even with advanced security measures, a person’s financial literacy is not always enough to shield them from manipulative tricks.
Back in November, the central bank warned Russians about scammers who pretend to be central bank employees. The organizers were noted to avoid calls, text messages, and the sharing of ID photos. A photo circulating with a fake senior central banker identity resembled a driver’s license, illustrating the deceptive tactics used. Real central bank employees do not send photo IDs.
The regulator pointed out that attackers use a variety of myths to pressure citizens, convincing them that urgent action is needed to protect funds, such as transferring money to a supposedly secure account. In short, the scammers rely on a mix of misinformation and social engineering to exploit gaps in digital literacy and trust in financial institutions. Source: Central Bank of Russia.