Tatarstan residents risk becoming victims of quishing when paying for housing and utility services

“If a QR code leads to a website, it's a fake invoice”

“I've only read about this type of fraud in the media and social networks,” Igor Khasanov, a resident of a block of flats on Ibragimov Street, told Realnoe Vremya. “But in our building, over the past year, ads have repeatedly appeared allegedly from the management company, gas workers, power engineers, and similar services, offering to pay “debts using a QR code.” My neighbours and I checked these ads every time, and every time it turned out that the QR code leads to a phishing site. Now we immediately tear down such ads, and in the house chat we warn our neighbours not to fall for the tricks of scammers.”

Khasanov added that after reports of fraud with QR codes in fake invoices, an ad about this danger was posted in the house chat.

In addition, a resident of the house told about a small experiment that he conducted himself: he scanned the QR code on his invoice — not a fake one, but a real one. It turned out that it is impossible to go to any website using this code — it is intended for the cash register reader and contains only information about the payment and its purpose.

“So it really makes sense to scan the QR code, and the best way to check the authenticity of an invoice is the inability to independently make a payment using it,” he concluded. “If the QR code leads to a website, it is a fake invoice.

You can pay the bill, but you cannot go to the website

“The receipts of Tatenergosbyt contain a QR code, when scanned, the mandatory details required for making a payment are displayed on the smartphone screen,” the company told Realnoe Vremya. “Namely: the recipient of the payment is Tatenergosbyt, the current account number of Tatenergosbyt, the recipient's bank: “Ak Bars Bank, the correspondent account number, etc.”

That is, the QR code on the real receipt does not lead to any websites, and the transfer of funds with its help occurs traditionally — for example, after confirming the transaction in the mobile banking application.

Tatenergosbyt emphasised that when scanning the QR code in a fake receipt, a link will be displayed without specifying the required details. And they recommended that in order to avoid fraud, carefully check the data before making a payment, do not click on suspicious links, and pay bills online:

“Don't let yourself be fooled”

“The police have not yet received any reports of fraud with QR codes in invoices,” the Ministry of Internal Affairs of the Republic of Tatarstan told Realnoe Vremya. “However, we often receive calls asking for help installing the new Tatenergosbyt application.”

The police also said that fraudulent ads offering to join home chats using fake QR codes are currently being distributed in a number of regions:

“This specific form of phishing, in which fraudsters use QR codes to deceive citizens and steal their confidential data, is called quishing. Any information can be integrated into a QR code, for example, a link to a fraudulent site or to download malware. In addition to emails and announcements on the entrances, there were cases of distribution of fake receipts and even stickers on electric scooters.”

At the beginning of 2024, the Russian Ministry of Internal Affairs reported that residents of the country lost 168 billion rubles due to cybercrimes in just 11 months of 2024, with IT crimes committed 14.3% more than in the same period of 2023. And the total damage from cybercrimes in Tatarstan, according to the Ministry of Internal Affairs of the Republic of Tatarstan, exceeded 5.7 billion rubles. The department did not name the amounts that were stolen from citizens in 2024 using quishing.