Scammers have found a new tool in the ever-evolving battle to scam companies and steal credentials. We all know by now that the most successful way for bad actors to get access to company resources and develop schemes to steal money is through phishing. As the scammers get better at creating more authentic looking phishing schemes, the industry continues to fight back with things like multifactor authentication, blocking unknown sites, and better artificial intelligence in the spam filters. But, the scammers have recognized that spam filters currently focus on the words and links in the emails to identify phishing attempts. The easy way to get around this is to use images instead of text, so they have weaponized QR codes because the QR codes are images that can be used to redirect you to malicious phishing websites. In addition to hiding their malicious links in an image, the scammers know that you will probably scan the QR code using your personal cell phone that doesn’t have the same protections as your work computer. The end result is typically to send you to a fraudulent website and ask for your password.
Here is an example of what a fraudulent QR code phishing (Quishing) message may look like. These scams could state that your password has expired, you need to install a new tool, view a document that was sent to you, validate your credentials, or perform any number of requests to get you to visit a malicious site and enter in your password.
If you ever see one of these Quishing messages in your inbox, don’t scan the code until you have verified its authenticity. And if it is a scam, report it in order to prevent others from being tricked by the same messages, QR codes, and underlying links. Here are some pointers to keep in mind when reviewing messages.
You can learn more about Quishing here: