You have to look very closely to see that something is wrong here: At the moment, some people in Germany are receiving letters that appear to be from Commerzbank, in which the recipient is asked to update their photoTan process. “This measure ensures that only you personally and with authorization can carry out transfers and other banking transactions,” it says. To update the process, the recipient is asked to scan an attached QR code.
If you look closely at the letter, you will find a few things that make you suspicious. For example, the letter is addressed to the “Dear Account Holder” and not personally.
The signatures of Arno Walter and Aydin Sahin could also raise eyebrows – at least if you are interested in the personnel carousel in the financial sector. Arno Walter, former head of the Commerzbank subsidiary Comdirect, left the company last year. Aydin Sahin has also long since found another employer.
New trick also found in road traffic
However, anyone who does not recognize these errors and scans the QR code ends up on a site operated by the criminals. All data entered by the unsuspecting user can be intercepted by the criminals. In some cases, scanning even initiates a money transfer, warns the North Rhine-Westphalia State Office of Criminal Investigation.
“Quishing” is the name of the new method that is currently making the rounds. Not only via bank letters – the perpetrators also apparently see an opportunity to use the new scam to obtain data and money on the road. For example, the automobile club ADAC reports that criminals are sticking over the QR code stickers on electric charging stations and luring customers to replicated websites of the provider, where they are then asked to enter their account details.
Which insurance provides coverage?
But can people protect themselves against this new form of fraud? Private cyber insurance would be relevant here – after all, this also covers “phishing”, i.e. obtaining sensitive data via fake emails, websites or text messages.
But the situation is more complex: For example, Inter’s “CyberGuard” policy does not cover “quishing” – at least not at present. “Our CyberGuard covers such damage caused by phishing, pharming and skimming. However, quishing is not insured because it is different from phishing,” a company spokeswoman said.
Cyber insurance is not all-risk insurance, explains broker Astra Hübner to procontra. The insured risk must therefore be clearly stated in the insurance terms and conditions.
This is unlikely to be possible with new scams. Inter also states: “Quishing was not yet known as a scam in our last product update, which is why it was not taken into account.”
Quishing = Phishing?
It is therefore quite possible that “Quishing” will be included in the insurance coverage in the next product update. Other providers are also currently signaling that they want to include quishing cases in their insurance coverage in the future.
However, there are also cyber insurance policies that already offer protection. Provinzial, for example, sees “quishing” as a sub-form of phishing. Anyone who has taken out Provinzial’s “Internet Protection” or has corresponding modules in their home contents insurance can already claim protection from their insurer today.
But it gets even more complex. It also depends on the exact nature of the damage, explains a VGH spokesperson. If, for example, a customer falls for the letter mentioned above, gives out their account details and loses money to the fraudsters, this is identity theft – this is covered by VGH’s private cyber insurance. This does not limit the insurance to certain attack scenarios, such as phishing or skimming, according to the spokesperson.
The situation is different, however, if a policyholder falls for a fake ticket that asks them to pay the fine immediately via QR code. If the policyholder then transfers the supposed fine to the fraudsters, the money is lost. “Since the customer transfers funds independently in this case, there is no identity theft and therefore no insurance cover in the private cyber insurance,” says the VGH.
In general, it is worth taking a closer look at the topic of private cyber insurance.
