Watch out - that QR code could just be a phishing scam

QR Code
(Image credit: Pixabay)

The latest evolution of phishing emails includes QR codes as hackers look to maximize the potential of their campaigns.

A new report from cybersecurity researchers SecurityHQ claims to have observed a “significant increase” of such “quishing” emails in these past couple of months. The premise is simple - the majority of today’s email service providers are doing a relatively good job at filtering out emails with malicious URLs inside. 

However, they’re not doing as good of a job on the mobile platform, and they can’t scan QR codes, making this a unique vulnerability for hackers to exploit.

Quishing

So, in practice, a victim would get a phishing email containing no links. Instead, right beside the call to action (or in the signature) will be a QR code in a .JPG or a .PNG file which can pass any email security tools. 

Even the victim wouldn’t see the link, which is usually the best way to spot a phishing site. They would scan the QR code with their mobile phone, and would be redirected to a malicious landing page, where they’d either be enticed to download something (like malware), log in to a service (giving away their sensitive data to the attackers), or sign up for a service (yet again, giving away sensitive information).

Given the prevalence of email in both private and business environments, and the low cost of sending out emails, phishing remains the number one attack vector for most threat actors. 

With phishing emails, which usually impersonate a popular brand, or a person of trust, the attackers try to create a sense of urgency and have the victim do something without taking a moment to think it through. That can be either a limited discount offer, a threat of account termination, or a parcel being returned soon.

The usual goal of phishing is to have the victim grant the attackers access to their accounts or endpoints, either by downloading and running malware, or by sharing login credentials through phishing landing pages. 

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
mobile phone
Forget phishing, now "mishing" is the new security threat to worry about
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
QR Code
Hackers are targeting Signal with new QR code-linked cyberattack
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Close up of a business person using a smartphone.
Watch out, malicious PDF files are being used again in phishing attacks
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
Nintendo Switch 2
Nintendo Switch 2 expected to have AI upscaling and I can't wait to finally play Tears of the Kingdom with upgraded graphics