QR codes thrived as a contactless way to order food and pay during the pandemic, and have also been used in advertising and event tickets for quite some time.
And now, QR codes are becoming really popular among hackers and scammers, too.
Remember holding up your phone towards the screen, scanning a QR code, to enable two-factor authentication on your user account?
Setting up two-factor authentication on a new device or account is probably not something you do every day.
But you probably knew it was very important that time when you did it.
And scammers really know how to take advantage of both of these facts.
Fake Authenticator QR scans
What if you received an e-mail from your organization's IT-staff, telling you about a security alert relating to your account? «Scan the QR code to receive mandatory security updates for your authentication app.»
Scanning the QR code may seem safer than clicking a regular phishing link, since there is no obvious suspicious link visible anywhere here.
However, the QR code is in reality a link, too. That pixelated QR pattern is really just a representation of text in a visual format, which is easy for machines to read.
The QR code can therefore take you to any website chosen by the scammer, for instance a fake Office 365 login website, as in the example above.
And in the next step, it would of course make sense to login with your username and password, before supposedly updating security information on your user account.
Except for the fact that there is a hacker on the receiving end, who is now able to steal your login information.
Security detection may be scarce
In the same way people and organizations are improving at spotting and recognizing the classical phishing attempts, the malicious actors improve and change their methods of attack as well.
Fake two-factor authentication updates are not the only trend we are currently seeing. QR codes are now frequently replacing the links you are used to finding in traditional phishing emails.
For instance, something called "Employee benefit eligibility enrollment" can be found via the QR code example below, obviously something which many people may find attractive to learn more about:
(Please note that we have distorted all QR code examples in screenshots, so that readers of this article will not actually end up on dangerous websites.)
What is really cleverly done by hackers here, is that when you proceed with links like these via your mobile phone, you are less likely to be protected by both detection on your device and your organization's network monitoring.
Spam filters which can usually identify dangerous emails before they are delivered to your inbox, are usually not scanning links which are presented to users as QR codes.
In addition, anti-virus and VPN are mainly security features used with laptops, and are less commonly seen on (partially) private/personal devices in the mobile network.
Since this kind of attack will bypass a large amount of the automatic security features, this would leave more you in a situation where you need to think critically for yourself.
In reality, anyone can create QR-codes and they could be even more dangerous with the addition of a little bit of social manipulation.
Luckily, since you are reading this, you may already be familiar with our MailRisk button in Outlook, which can always tell you whether an email in your inbox can be trusted or not – regardless of QR codes or old-fashioned links.
You may come across the term «quishing»...
Due to the increasing popularity of using QR codes for phishing, security professionals are eager to find a new word to describe the new phenomenon.
You may therefore encounter the term "quishing", which is short for "QR phishing".
However, the word in itself does not carry any meaning, and you should not be surprised to learn that people who have not read this article to the end will know what quishing is.
Making security difficult by using difficult words will only make it more difficult for people to be confident, when facing security decisions like whether to proceed with a «mandatory security update to your authentication app».
For our own part, we will call it QR code phishing (or phishing with QR codes), and make it more obvious to anyone what we are actually talking about.
Just like we prefer calling phishing via voice (not «vishing»), and phishing via SMS (not «smishing») by what they actually are.
We can only imagine what's next.
(Open the camera app on your phone, and scan the QR code below to find out 😇)
