Man uses 3rd-party app to scan legit QR code on recycling machine, duped into giving credit card info

Sarah Koh
The Straits Times
May 12, 2023

A man was duped into an online payment of US$39.99 (S$53) on Sunday after he used a third-party app to scan a legitimate QR code while trying to recycle his clothes at a recycling machine.

Lianhe Zaobao reported on Friday that a resident in Ang Mo Kio Avenue 10, who gave his name only as Mr Liu, took his old clothes to the SG Recycle machine near his home on Sunday morning.

He used a third-party app to scan the QR code displayed on the machine with the intention of downloading the SG Recycle app.

Instead, he clicked on an advertisement that took him to a website that prompted him to enter his credit card information.

The 57-year-old said he entered his personal information as he believed the rewards for recycling old clothes would be credited to his card account.

He realised he had been duped only when the website showed that US$39.99 was charged to his credit card for a premium membership. It is not known what the membership is for.

Mr Liu then called his bank to deactivate his credit card and made a police report.

In response to queries from The Straits Times, SG Recycle marketing manager Sim Wei Liang said that the company is aware of this incident and another similar incident in April.

“We checked our website, our app and the physical machine QR codes, and found them to be secure,” he said.

“It is purely a third-party app issue that affects Android users who downloaded apps that contain advertisements. The QR codes on our machines are not compromised and direct users to the correct app download on Google Play or Apple App stores.”

The company operates a network of robotic waste collection machines across Singapore that allow users to recycle paper, textile and electronic waste in exchange for points that can be redeemed for cash rewards.

Mr Sim said that customers do not need to pay any fees to use the SG Recycle app, and that users will need to provide only their phone number when signing up for an account.

The company also reminded users to be cautious of third-party apps that contain advertisements, to use trusted apps such as Google Lens or the iPhone QR scanner, and to report errant apps to Google to help prevent other users from falling for such scams in future.

Mr Steven Scheurmann, Asean regional vice-president of cyber-security company Palo Alto Networks, said that while phone cameras these days are capable of scanning QR codes, scanner apps are still in use and scammers are creating fake scanning apps that install malware on users’ devices when downloaded.

“Once the fake app is downloaded, threat actors can obtain users’ sensitive information and credentials, gain access to their accounts, or potentially move laterally within the network to infect other devices,” he added.

Some telltale signs of a fake QR code scanning app include little to no reviews on it, the lack of or a poorly written app description, and the app asking for extensive permission such as viewing and controlling the users’ screen, said Mr Scheurmann.

An app that requires an update as soon as it is downloaded could indicate malware being installed, he added.

In the event that personal information, such as banking credentials or contact details, has already been entered into suspicious websites, users can take immediate precautions such as changing the passwords and enabling two-factor authentication of their online accounts, added Mr Scheurmann.

On Sunday, ST reported that a woman lost more than $20,000 after she scanned a QR code pasted on the glass door of a bubble tea shop, which promised customers a free cup of milk tea after they complete an online survey.

She was prompted to download a third-party app onto her Android phone, which allowed scammers to take over her device and move the money from her bank account.