9am - 5pm ( Mon - Fri )
1856 N Nob Hill Road #212 Plantation, FL 33322-6548

QR Code Phishing Attacks Spread

September 12, 2023by Barbara Flynn0

By Roy Maurer


A workplace phishing campaign armed with malicious QR codes has been spreading for months, according to the cybersecurity firm that uncovered it.

The campaign, discovered by Cofense in May, spoofs Microsoft security alerts directing employees to update their account’s security settings. The QR codes and redirect links send users to a phony web page to steal their Microsoft credentials.

Cofense reported that the campaign targeted multiple industries, including a major unnamed U.S. energy company. The volume of the campaign has increased by more than 2,400 percent since May and is still ongoing.

Evidence suggests QR code phishing attacks have escalated since the COVID-19 pandemic.

“Following the pandemic and scanning QR codes at restaurants, people have become very comfortable with scanning QR codes, don’t think twice about it and don’t fully grasp the risk associated with a malicious QR code,” said Linn Freedman, a partner in the Providence, R.I., office of law firm Robinson and Cole and chair of the firm’s Data Privacy and Cybersecurity Team.

She added that “it is important to understand that just like malicious code embedded in a link or an attachment in an email or text—which we have been trained not to click on—a threat actor can embed malicious code into a QR code with the same results.”

QR codes in phishing emails are not typical. It’s awkward, said Stu Sjouwerman, CEO of KnowBe4, a security awareness training provider in Tampa, Fla. “Despite this lack of reasoning as to why this should work, we see that this type of social engineering works anyway, otherwise the cybercriminals wouldn’t be using this method.”

But the advantage for cyberthieves is that QR codes can more easily bypass secure email gateways, which aren’t able to scan the image the way they scan suspicious links.

These types of attacks are insidious for a couple of obvious reasons, Sjouwerman said.

“I’m not aware of any security solution that can follow a QR code-based URL to determine if the resulting URL is malicious or not,” he said. “And it shifts the actual threat action to another device [the employee’s mobile phone]—specifically one that has far less protections than a user’s endpoint.”

The Bottom Line

Educating employees is the best defense against any type of phishing. “Employees must be trained not to scan QR codes, received by email or text, and to alert the IT department if one is received,” Freedman said. “Everyone should treat QR codes with a high degree of suspicion, just like a suspicious text or email.”

Employees should follow the same basic guidelines to minimize the risk related to more traditional phishing attacks, including being alert to messages requiring urgent action; confirming with the purported source of the message if it seems suspicious; previewing the QR code’s URL to see if it appears legitimate; and not entering personal information or login credentials to unfamiliar pages.

Barbara Flynn

Leave a Reply

Your email address will not be published. Required fields are marked *

CALL USContact Information
People First, Inc.
Where everything begins and ends with people
1856 North Nob Hill Road #212
Plantation, FL 33322
Organically grow the holistic world view of disruptive innovation via empowerment.
OUR LOCATIONSWhere to find us?
GET IN TOUCHAvantage Social links
Taking seamless key performance indicators offline to maximise the long tail.

Copyright by People First INC. All rights reserved. 2022

2022 Copyright by People First Inc.  All rights reserved.