QR-code Phishing

Phishing campaigns utilizing quick response (QR) codes are rising increasingly. The QR code scams require a user to move from a desktop or laptop to a mobile device, which might not have detection abilities and protections similar to the desktop or laptop. This is a significant risk to the mobile devices that used for multiple purposes today such as personal banking and other confidential transactions. The practice of using QR codes to phish end users is referred to as QR code phishing or quishing.
A QR code is similar to a barcode, except it consists of a series of black and white squares which store encoded information. Typically, smart devices with cameras (e.g., phones, tablets, etc.) can read these codes. When scanned the information is decoded, allowing the data to be accessed in its original form. The most common information encoded by QR codes are URL link

Similar to other forms of phishing, QR code phishing often involves sending an urgent or threatening email but embed a QR code with a link to a malicious site.

  • The email urges the recipient to scan the code which leads them to a malicious website.
  • These websites are typically spoofs of legitimate company websites (e.g., parking enforcement payment site, Microsoft, etc.). Often the malicious sites will ask for log in credentials or banking/ credit card information.
  • Since QR codes are text-less graphics that a user has to scan before knowing where they will go, they are more easily able to obfuscate malicious links compared to regular malicious links.

Did you know?

From June through August 2023, Kaspersky detected 8,878 phishing emails containing QR codes. The malevolent activities peaked in June with 5,063 letters, reduced to 762 letters by August.

Fighting against QR code phishing scams

  • Exercise Caution: Treat QR codes the same way that you would treat an unknown link. Avoid scanning a QR code from an unknown source.
  • Verify Source: If the QR code is received from a trusted source, validate that this QR code is legitimate via another means (e.g., phone, text, etc.).
  • Preview the link before clicking:  Ensure that the destination seems accurate to what the code purported to direct to.
  • Avoid scanner apps: Use the built in device camera because scanner apps may be used by threat actors to spread malware.
  • Phishing Signs: Review the email for signs of a phishing attempt (e.g., manufactured urgency, appeals to fear, empathy, or other emotions, etc.).
  • Report: Any suspicious emails which appear to contain a fraudulent QR code should be reported to the organization's IT Security group.
  • Keep Credentials Safe: Be wary of any website that requests you enter credentials or banking/ credit card information.

Updated October 16, 2023 by Digital & Web Operations, University Relations (web_services@athabascau.ca)