In 2023, approximately 347,3 billion emails are sent daily, and phishing emails are the most common type of cybercrime. In the UK, 83% of businesses who suffered a cybercrime say the attack was phishing. In the usual kill chain for phishing emails, malicious actors try to get the victim to either click a malicious link, download a malicious attachment, or attempt different kinds of financial fraud like getting the victim to transfer money. Recently, there’s been a trend of including malicious QR codes in phishing emails to get victims to scan them and visit malicious websites.
Editor’s note. We’ve replaced the following malicious QR codes with one leading to our domain for your own safety.
What are QR codes, and how do they work?
A QR code is short for Quick Response code. They're two-dimensional barcodes you can scan using a smartphone by pointing your camera at it. The camera interprets the code and displays the information inside it. The information can change from links to websites to contact details or even event information. They offer a convenient way to display information and perform actions, and they're widely used for advertising, ticketing, authentication, and inventory management.
How do scammers use QR codes?
In phishing emails, attackers use QR codes to deliver malicious links and bypass any possible filters. The link hides within the code, and the victim has to scan it with their smartphone. After scanning the code, the victim navigates to the malicious website using the provided link. The websites usually contain credential harvesters.
Within our network, we’ve identified several different phishing campaigns using malicious QR codes inside phishing emails since May. The technique isn't completely new to the phishing landscape, but with some smaller campaigns making the rounds during the past years. The majority of the campaigns use Microsoft and MFA as themes. The largest campaign we’ve encountered is a Microsoft impersonation requesting the users to scan the provided QR code to review a security update. There’s a tight deadline for the recipient to complete the required task. Additionally, they have instructions to scan the QR code in case some users aren’t familiar with them.
Since the campaign was first seen, over a thousand users globally from over 100 different organizations have also reported this email campaign.
Other smaller campaigns were reported within our network that use malicious QR codes, such as a different but similar Microsoft security update phish using MFA as a pretext.
Over ten different organizations reported the email above. And through our network, we also spotted a non-Microsoft QR phish two weeks ago.
How to avoid QR code scams
First, many of the usual tactics help you verify the legitimacy of possible phishing emails, like checking the sender’s domain and looking out for suspicious links. Before doing anything, carefully check the email’s content.
Specifically, when it comes to QR codes, you should start by making sure the email is legitimate. If everything checks out, pointing your phone camera towards the QR code typically reveals the URL it leads to. Remember to be cautious and avoid opening the link by mistake while doing this. You should also be mindful of using QR code scanning applications—some might redirect you to malicious websites regardless of the QR code.
Although all QR codes aren’t malicious, it would be good for companies to avoid using them in legitimate communications due to how difficult it is to confirm their legitimacy. Remember to be careful when using QR codes, and think before scanning. Anyone could have made them, and it’s impossible to tell where they lead before scanning them. Staying proactive helps keep you and your company safe from cybercriminals.
About the author
Minna joined Hoxhunt in 2022 and works as a Junior Threat Analyst. She spends her free time taking pictures of her cats, reading, and tinkering with mechanical keyboards.
Keep up with the threat feed
Don't miss the next threat feed, and subscribe to our newsletter for the latest feed and cybersecurity content. Stay informed and stay safe!