Banking phishing emails with QR codes

Recently, we have noticed a particularly well-crafted phishing campaign sent in the names of large European banks. Several Hoxhunt customers have received and reported this threat across Europe and North America.In most cases, the victim is urged to renew their credit cards for security reasons before they expire. The expiration date is set only two days ahead of when the email is sent to the victim to create a sense of urgency. To boost the sense of urgency even further, the emails state that there is a delay fee for late renewals.

The renewal happens through scanning a QR code that’s included in the emails. Using a QR code is a great tactic to make sure that the email reaches the recipient instead of being automatically removed by email filters. We followed some of the sites behind the QR codes, and we found that most of them had already been suspended or were blank.

We have also discovered several variations of this vector; for example, a prompt for mobile bank verification.Below, we outline our tips on how to stay safe from this type of phishing:

• This iteration does not use spoofed sender fields, which tricks victims into thinking the email is legitimate. So, when checking where the email is coming from, this should already ring some alarm bells.
• The emails in this campaign begin with just a basic greeting—not personalized for the recipient. Banks usually know the names of their customers and greet them accordingly.
• If a bank sends you a message, don’t click on the links. Instead, log into your online banking account by typing the real website address in your browser. The same message can, most likely, be read there. This rules out the possibility of falling for malicious links.

To sum it up, the initial delivery was great, but in the cases we have seen, the landing pages didn’t do the trick. It will be interesting to see what the next iteration of this campaign might bring.