QR codes, also known as Quick Response codes, have become increasingly popular in recent years. They are a convenient and versatile way to access information, such as menus, product information, and website content. However, QR codes can also be used for malicious purposes, such as phishing.
QR phishing is a type of phishing attack that uses QR codes to trick victims into revealing sensitive information or downloading malware. Scammers may send phishing emails with QR codes, place malicious QR codes in public places, or even post them on social media.
If you're not careful, you could end up scanning a QR code that takes you to a fake website or downloads malware onto your device. Once that happens, it's game over for your data.
Attackers use urgency, impersonation, and domain spoofing to bypass email security.
In a recent phishing attack observed by Cyber Security Associates and other cyber security companies, attackers sent emails usually from different sender and envelope addresses, all with common features. The emails convey a sense of urgency, either through the subject line or by marking the email as high priority. Some of the emails directly refer to two-factor authentication (2FA) enabling or QR code activation, and some of them impersonate the company's internal IT or HR team by inserting the company domain alongside strings like "it-desk" and "hr-manager" in the sender field.
Attackers use various techniques to draw attention to the email and maximize the chances that it is opened and engaged by the recipient.
To make sure the emails reached the intended inboxes, the attackers use several tactics:
The example URL which can be found in a malicious QR code.(cofense.com, 2023)[2]:
QR phishing attacks can target consumers and enterprises alike.
While QR phishing attacks have often targeted individual consumers, businesses and their employees are also at risk. Email-based QR phishing campaigns, such as the ones uncovered by HP and Abnormal Security researchers, can target enterprise accounts for credential theft or malware distribution.
In other words, QR phishing attacks can be used to steal employee login credentials or install malware on company devices. This can give attackers access to sensitive business data, such as customer information, financial records, and trade secrets.
The email delivery of the QR code is not the only way attackers target potential victims. Well known vectors of attack can come in a form of:
QR codes scams can be encountered in emails, in text messages, on signage, on direct mail and even in person from criminals posing as utility workers or government employees.
QR phishing attacks can be effective, but there are ways to mitigate the risk.
Identifying a fraudulent QR code is difficult. In fact, many don’t even know that fraud can happen through a QR code.
While QR phishing attacks can bypass some security protections, they still require the victim to take action to get compromised. This gives well-trained personnel an opportunity to identify and avoid these attacks.
Additionally, most QR code scanners on modern smartphones will ask the user to verify the destination URL before launching the browser. This is another protective step that can help to mitigate the risk of QR phishing attacks.
Here are some tips to help you protect yourself from QR phishing attacks:
If you are unsure about whether or not a QR code is safe to scan, it is best to be on the side of caution and not scan it. There are QR decoders available online, although you have to be careful as some of these services might be malicious in its own right.
If your organisation is affected by regular or large number of attempts you can always contact Cyber Security Associates to see how we can help you with investigation and mitigations.
QR phishing is a growing threat, and it is important to be aware of the risks and take steps to protect yourself. Here are some conclusions to draw from the article on QR phishing:
If you think you may have been a victim of a QR phishing attack, you should immediately change your passwords and contact your bank or credit card company. You should also scan your computer for malware.
By following these tips, you can help to protect yourself from QR phishing attacks and keep your data safe or contact Cyber Security Associates to discuss possible solutions for your organisation.
[1] Major U.S. energy org targeted in QR code phishing attack
[2] Major Energy Company Targeted in Large QR Code Phishing Campaign
[3] QR Codes: A Growing Vulnerability to Cybercrimes
[4] Quishing on the rise: How to prevent QR code phishing
[5] Phishing with QR Codes: How Darktrace Detected and Blocked the Bait