QR Codes Now Used in Phishing Attacks 

Phishing is one of the most prolific cyber attacks that takes place every day. Often when you receive a phishing email it contains a malicious attachment or a link to a dangerous website. As companies and people are becoming more cyber aware the dangers of opening unexpected attachments or clicking suspicious links in emails are known, so the cyber criminals are having to change tactics. It is very common for cyber criminals to quickly adapt to changes in technology and cyber awareness, and this is exactly what is happening right now with phishing messages. 

A recent rise in the use of QR codes rather than links or attachments have been seen in phishing attacks – sometimes referred to as ‘quishing’ attacks. A QR code (Quick Response code) is a 2D bar code made of squares and dots used to encode hyperlinks that can take a user to a specific web page. To use a QR code the user needs to scan it using a camera such as the one on their mobile phone, which then causes the information encoded in the QR code to be read by the device and the hyperlink is opened on the user’s phone. QR codes are often used in paper communications, with links being a preferrable way for legitimate companies to redirect you to the necessary web pages via email. Cyber security researchers at Kaspersky detected 8878 phishing emails containing QR codes between June and August this year evidencing a new, widespread, phishing campaign. 

This is a real phishing email received containing a malicious QR code that has been obscured for safety and security reasons: 

As with other examples of phishing messages, this contains logos of the company they are trying to impersonate, in this case the Microsoft Corporation, as well as other elements that you would expect in an official Microsoft email, such as the address of the company, option to review the information, and a disclaimer pretending to care about the confidentiality of your information. However, these criminals want to steal your personal information through a fake login page designed to trick you into giving them your password. Spelling errors, a sense of false urgency, and the strange request presented in this email are useful signs that can help you to realise it is actually a scam, and not from Microsoft. The sender email address is also very clearly not an official Microsoft domain, so there is no way this could be a legitimate message. 

One of the biggest dangers of this new tactic being used in phishing attacks is that a potential victim does not know what website a QR code will take them to until they scan it. In other phishing messages when links are used on their own it is possible to hover your mouse over the link to see where the real destination is if it is being hidden under other text, so the actual web address is visible without clicking the link. With QR codes the only way to get the web address to appear is through scanning it with an image processing device, and even then the web address displayed may be a shortened URL and it can still be unclear if it is a malicious or legitimate site that you are being redirected to.  

Another issue with cyber criminals using QR codes rather than links in the body of their phishing emails is that these are harder to detect by email monitoring programmes that attempt to filter out potentially dangerous messages before they ever reach your inbox. Security software such as Microsoft Defender can check and block dangerous links in phishing messages so that you don’t get tricked into clicking them. However, in order to analyse a QR code in the same way, the software would need to be able to scan the QR code to determine what information it encodes, which is a highly computing-power intensive process, and is therefore a very costly process too. 

Because of the rarity of the use of QR codes in legitimate emails, you should be suspicious of any message you receive that contains one. This will help you notice the signs that the message is a phishing scam rather than being from a legitimate company you do business with. Phishing messages you identify should be reported immediately to help protect yourself and others from further attacks. You can report phishing messages directly within whichever email reading programme you use, such as Outlook, or when accessing emails online such as through Gmail. This is done by opening the (…) menu when you have the phishing message open, and clicking the ‘Report Phishing’ option. If you receive a phishing email to your work email address, it is also important to report this to your IT or cyber security team.  

Receiving a phishing message via email might mean that your contact information such as your work and personal email addresses are available for criminals to access on the dark web. Request a free dark web scan to identify where your details might be being made available to hackers and criminals online.