QR codes and phishing: Cybercriminals’ new weapon

QR Codes: More than just a code

Phishing attacks are constantly evolving, and hackers are constantly looking for new ways to evade detection. QR Codes (Quick Response Codes) are two-dimensional barcodes that can store a variety of information, such as URLs, GPS coordinates, text messages and much more. They are widely used to facilitate access to information simply by scanning the code with a smartphone or tablet. Initially designed to simplify communication between the physical and digital worlds, the QR Code has become one of the latest weapons used by cybercriminals to launch sophisticated phishing attacks.

Phishing and QR codes: the threat to the business world

Phishing, the online scam technique also known as phishing, is no longer limited to simple fraudulent e-mails. Attackers have refined their methods, and one of the most worrying emerging attacks is QR code phishing. Phishing is a strategy used by hackers to steal information. This information, whether bank details, login details or other personal data, is a prime target for cybercriminals. Historically, phishing attacks were mainly relayed by fraudulent mails or e-mails. However, the growing adoption of QR codes in companies and among users has opened up a new avenue of attack. When we talk about emails in the context of phishing, we’re referring to those deceptive emails that imitate legitimate organizations. These emails are designed to mislead the user, prompting them to click on a malicious link or provide confidential information and data. With the rise of QR codes, these emails have evolved. Now, a simple scan of a malicious QR code can compromise an organization’s security. Companies of all sizes need to be aware of this threat. Employees, often the first line of defense against these attacks, need to be trained to recognize and avoid phishing attempts. Every email and message received, every QR code scanned, every web page visited can be a gateway for hackers.

How are cybercriminals using QR codes in their phishing attacks?

QR codes, originally designed to facilitate access to information, are now being hijacked by cybercriminals to deceive users.

• Fake payment QR codes: Criminals create fake payment QR Codes, usually linked to legitimate businesses. When victims scan them, they unwittingly make a payment to the fraudsters’ bank accounts.
• Redirection to phishing sites: QR Codes can be used to redirect users to phishing sites that look like login pages or sensitive information entry pages. The data provided by victims is then exploited for malicious purposes.
• Malware download: By scanning a QR Code, users can be directed to a website that automatically triggers the download of malware to their device, compromising the security of their system.

Examples of corporate QR Code phishing attacks

• Payment scam: An employee receives a QR Code purporting to be linked to an invoice. By scanning it, he makes a payment to the cybercriminal’s account instead of the legitimate supplier.
• Data phishing: Cybercriminals send e-mails with QR Codes that redirect employees to forged login pages, where they enter their company credentials, which are then compromised.
• Malware propagation: A QR Code on a document received internally leads employees to malicious websites, triggering the download of malware onto company devices.

The recent attack on a US oil company

Cybersecurity researchers recently identified a large-scale attack using QR codes to target major corporations, including a major US oil company. Thousands of e-mails were sent as part of the attack. The fraudulent emails asked employees to perform a security check linked to their Microsoft 365 account. These malicious emails managed to bypass Microsoft’s native detection functions. By scanning the QR Code, they were redirected to a fake login page, allowing cybercriminals to steal their logins and passwords.

How to detect and prevent QR code phishing attacks?

Detecting and preventing phishing attacks based on QR codes requires constant vigilance. Users are often the weakest link in IS security. When it comes to QRishing in particular, specific training is needed to dissuade users from scanning QR codes from unknown sources, or clicking on links without first checking their legitimacy.

• Careful examination: Before scanning a QR code, make sure it comes from a reliable source. Be wary of unexpected codes and don’t scan them unless you’re sure of their legitimacy.
• Education and awareness: Train your staff to recognize suspicious QR Codes, and to be skeptical of payment requests or redirections to unfamiliar websites.
• E-mail filtering: Use filters and anti-phishing software to identify e-mails containing suspicious QR Codes and block their distribution. The native security capabilities of Microsoft 365 are not enough to intercept sophisticated threats. It’s essential to strengthen your security posture by working with a third-party provider, such as Mailsafe’s 100% M365-compatible solutions.

Phishing attacks are constantly evolving, moving from traditional e-mails to QR Codes and other vectors. Companies need to adapt by raising security awareness, training staff and implementing robust security measures to deal with these threats. This includes using advanced security solutions and regularly reviewing security policies to stay one step ahead of cybercriminals.