Are Threat Actors Using QR Codes in Phishing Attacks?

Threat actors constantly tweak and refine their tactics in an attempt to evade detection or become more efficient at achieving malicious goals. Often, these tactical adjustments exploit societal changes—a pertinent recent example was the increase in phishing emails targeting remote employees.

Another technological change accelerated by the COVID-19 pandemic is the resurgence of QR codes. As they become more widespread in use, it’s worth figuring out the potential to exploit them. This article takes a look at the use of QR codes in phishing attacks.

What Are QR Codes?

Quick response (QR) codes are barcodes that store information in a two-dimensional way, which means the information in them can be read from top to bottom and left to right. Digital devices, including smartphones, can easily read the information contained within the square-shaped image.

Each code has a maximum data capacity of 4,296 alphanumeric characters. The technology traces its roots back to Japan in 1994 when engineers started using the barcodes to keep track of parts at an automotive factory. Each QR code contains position detection patterns, which facilitate accurate, fast reading by scanning devices.

After being limited to mostly industrial use cases, QR codes began spreading to a range of consumer-facing applications in 2011 such as companies placing them on advertisements for events, discounts, and promotions. Adoption moved slowly, though, and some technology analysts speculated on the demise of their use in 2014 due to a combination of poor implementation by businesses and users who weren't motivated enough to install the dedicated app required to scan them.

As smartphones became more advanced, manufacturers added QR scanners to the cameras of their smartphones, so that users didn’t need a dedicated app. The result was a gradual increase in people scanning QR codes to download apps, visit websites, or access a Wi-Fi hotspot. Preference for status quo methods of performing these actions meant that there was a natural tailing off how many people scanned QR codes.

QR code scan restaurant payment

The Resurgence of QR Codes

Among the many technological changes influenced by Covid-19 was a huge resurgence in QR codes. With mandatory social distancing in retail environments, businesses such as restaurants and coffeehouses had to figure out ways to keep staff and customers safe while trying to make money and survive.

QR codes provided a solution by allowing customers to scan a barcode, view menus, and place orders all while maintaining a safe distance from staff members. Foregoing physical menus was meant to help reduce the spread of the coronavirus through droplets on improperly disinfected menus.

QR codes were also deployed extensively to confirm the vaccination status of individuals. In places where entry was limited to only fully vaccinated individuals, scanning a code helped businesses ensure that they adhered to these safety protocols.

How a QR Code Phishing Attack Would Work

With QR codes now ubiquitous, cybercriminals have the chance to exploit their popularity and scam people. Embedding links to malicious websites inside a QR code is likely to pay dividends given that people tend to automatically trust them. While suspicious URLs are detectable by humans in plaintext, masking them inside QR codes means that people can’t read them and see that the URL looks suspicious.

The possibility of cybercriminals taking advantage of QR codes led to security analysts coining a new type of phishing attack known as “quishing.” Here is how some of these attacks work:

Email impersonation - a threat actor sends an email from a seemingly legitimate source containing a QR code in the body of the email

or...

In real life (IRL) - where threat actors cover legitimate QR codes with their own malicious QR codes in physical locations such as restaurant menus, retail store doors and windows, information kiosks, and school bulletin boards

then...

An unsuspecting user scans the code and gets taken to a malicious phishing website where the user reveals confidential information, such as login credentials or credit card details.

One possible weakness with this tactic from a hacker’s perspective is that people might naturally be reluctant or confused about scanning a QR code contained in an email. As with all forms of social engineering attacks, this hesitancy can be bypassed by creating a sense of urgency with victims and by crafting highly credible emails.

Examples of QR Code Phishing Attacks

The possibility of QR code phishing attacks is no longer mere speculation. There have been a few example incidents directly exploiting the increasing reliance of people and businesses using QR codes.

San Antonio and Austin Parking Scams

In December 2021, law enforcement in San Antonio and Austin warned Texans about a QR code scam in which cybercriminals placed malicious QR code stickers on parking meters. Both cities only allow people to pay for parking with coins or a dedicated app. By exploiting the widespread use of QR codes, the threat actors expected unsuspecting individuals to scan the code and try to pay for their parking at the website they were sent to. This URL was, in fact, a phony link that duped people into revealing their payment card details.

Microsoft 365 Credential Theft

In the fall of 2021, attackers ran a credential theft campaign by using previously compromised email accounts to send email messages from the actual accounts used by business colleagues--which passes right by traditional secure email gateways (SEG)--and appear real, and safe to the recipients.

These phishing emails claimed to include an important voicemail message, but required the victim to scan a QR code to be able to listen to the message. Users who scanned the QR code were sent to a phishing website that required their Microsoft O365 credentials before being given access to the non-existent audio file.

It’s unclear whether anyone fell for this scam, but there is a clear potential for similar incidents. Threat actors generally regard Microsoft Office 365 login credentials as particularly useful for achieving other goals, such as stealing sensitive data or tunneling into an enterprise network.

Tips for Using QR Codes Safely

With QR codes seemingly everywhere today and used for many different customer-facing applications, what can you do to use them safely? Here are some general tips to reduce the chances of being scammed.

  • For QR codes that take you to a URL, examine the address closely to make sure it’s genuine and doesn’t contain typos.
  • Take care when scanning physical URL codes that they haven’t been tampered with, and exercise extreme caution if you see a sticker QR code anywhere.
  • Don’t download apps directly using QR codes—instead, note the name of the app, search for it in whatever app store you use, and download from there.
  • If you ever receive an email about needing to complete a transaction with a QR code, call the bank or financial institution to verify this information and/or navigate to the website without scanning the code to ensure you’re visiting a trusted URL.
  • Be wary about any QR code that informs you of the chance to win some kind of prize if you scan the code.
  • In general, don’t trust QR codes in emails because it would be easier and make more sense for a legitimate sender to insert an actual link into the text of the email. 


The threat of QR code scams is now so high that the FBI released an alert outlining how cybercriminals tamper with these codes to steal money. Now that you understand the potential risks and mitigation measures to take, you’ll stand a better chance of staying safe during the QR code resurgence.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at https://ironscales.com/get-a-demo/

 

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.