Watch out for Phishing Attacks Using QR Codes
Email phishing attacks are constantly evolving with the latest threat now entering the inboxes of professionals being QR code scams. While QR codes are not new - greater adoption throughout society has resulted in hackers taking advantage of it for nefarious purposes. In this blog post, we will outline how it works, why it’s risky and how to prevent being the target of a successful QR code attack.
How does a QR Code Attack Work?
QR code attacks are a quick and creative way for hackers to trick a user to visit a fraudulent website to enter their credentials and unsuspectingly offer up sensitive information. Visiting the webpage itself isn’t risky; only once a user enters their credentials or payment information, like their credit card number can that information be stolen.
Why are QR Code Attacks so Risky?
There are two main reasons as to why QR code scams have security professionals concerned:
Bypasses Traditional Defenses: Currently there is no security solution that can follow a QR code-based URL to determine if the resulting URL is malicious or not. See example of fake Microsoft QR code scam. QR code has been distorted.
Check Point Research noticed a whopping 587% increase in QR-code-based phishing attacks between August and September 2023 which has been attributed to the lack of QR code protection in email security solutions and the widespread use of scanning QR codes.
Lack of User Security Awareness: A victim receiving the email may not suspect anything suspicious since the email itself has bypassed their email gateway security software, and like many email phishing scams, impersonates a legitimate company. Users scan the code which takes them to a site impersonating a service they use and the victim will end up having their credentials stolen during login. And since this is a relatively new threat, many employees are simply unaware of it.
According to Microsoft, there are five different types of QR code phishing scams, which are as follows:
- QR code email scams
- QR code payment scams
- QR code package scams
- QR code cryptocurrency scams
- QR code donation scams
How to Prevent a Successful QR Code Attack
Again, this attack demonstrates just how important ongoing user Security Awareness Training is. Here’s some general tips on responsibly scanning QR codes:
- Do not scan a QR code from an unfamiliar source
- Preview the QR code’s URL before opening it
- Check for tampering: If you are out at a restaurant that uses QR codes as menus, check to ensure that the QR code hasn’t been tampered with
- Be diligent and aware
- Be extremely suspicious of a QR code that takes you to a website asking for credentials of any kind or requests payment
If you would like to discuss your cybersecurity strategy or learn more about our Security Awareness Training, please reach out to us.