Email Scammers Use QR Codes to Bypass Email Security

Cloud email security company Abnormal identified and blocked nearly 200 emails sent to their customers between 15th September and 13th October 2021. These emails were all part of a phishing campaign that used malicious QR codes to steal Microsoft 365 credentials.

By using the QR codes, scammers were able to circumvent the URL scan feature for attachments in traditional email gateways. Furthermore, as all QR code images were created on the same day they were sent out, they were not previously reported and could therefore easily slip past the security blacklist.

How were the Scammers Distributing Malicious QR Codes?

Initially, fraudsters weren't using QR codes in their phishing emails but would instead hide an URL link behind an image of a .WAV audio file.

Scammers Distributing Malicious QR Codes

This, however, was soon picked up and identified as a threat by security services so the scammers had to change tactics.

They then turned to QR codes for their second attempt as they replaced the .WAV file with a malicious QR code which they placed in line with the email body.

malicious QR code

While scams involving QR code images that hide malicious links to phishing websites are a pretty common phishing tactic, what's different and novel about these is that this is the first that actual QR codes were used and embedded in phishing emails.

Abnormal Security Director of Threat Intelligence Crane Hassold said:

We've seen actors use fake QR codes in the past - QR code images that are in reality hyperlinks to a phishing site - and we've seen actors use QR codes out in the real world to try and get people to go to a malicious website, but this is the first time we've seen an actor embed a functional QR code into an email.

The question, however, is since a QR code cannot be opened like an attachment or clicked like a URL link, how were the threat actors intending to get victims to fall prey to their scheme?

One way would be:

  1. The user receives an email on their desktop system with a quick response code in it and opens it
  2. They then scan the QR code using the camera in their mobile phones
  3. The QR code then sends them to a phishing page similar to a Microsoft login page
  4. Finally, they enter their login details into the phishing page

Better Business Bureau Warns Users About Malicious QR Codes

The Better Business Bureau (BBB) has sent an alert in July this year about scams using quick response codes designed to send people to phishing pages where scammers can steal their sensitive information.

According to the BBB, the QR codes make the emails appear more legitimate and therefore the users are more likely to take an action on them.

For instance, one user reported that they got a fraudulent letter about student loan consolidation that contained a QR code that linked to a phishing page similar to the Studentaid.gov website.

fraudulent letter

How to Protect Yourself From QR Code Scams?

QR code scams, also known as "Quishing" are a good indication of how phishing operators are constantly evolving.

These allow scammers to avoid the typical security platforms as they can disguise malicious links as QR images, while at the same time appearing more legitimate.

The scheme also abuses the fact that it's very easy to scan a QR code using the camera on your mobile device as all you need to do is point the camera at the QR code and poof! you're sent to a phishing website designed to steal your personal information.

How to avoid a QR scam?

There are several things you can do to avoid a scam like this: