QR Code phishing scams — What they are and how to avoid them.

Originally invented to keep track of car parts in the early 90s, QR codes have been around for decades. After gaining broader acceptance during the COVID-19 pandemic, they are now—perhaps inevitably—being exploited by cybercriminals. Quishing, or QR Code phishing, exploits smartphone users scanning the 2D barcode, which leads to a phishing site, malicious link, or another cyber attack.

We’ll look at the threat from QR code-based phishing and consider why cybercriminals are adopting this technique. Additionally, we’ll explore opportunities to detect and disrupt these attacks at scale.

QR codes in phishing emails: what’s the threat?

QR codes work precisely as malicious links; a victim who scans the QR code – typically using their smartphone – will be directed towards a malicious site. From here, the deception can continue as with any other phishing campaign.

By now, many know how to spot suspicious-looking links in phishing emails that mimic official communications from established brands or institutions. The opposite is true with QR codes: there is typically no user-accessible way to check the destination before scanning.

From a cybercriminal’s perspective, there are several reasons to use QR codes for phishing, often dubbed quishing, including:

1. Hiding URLs from users – QR codes provide criminals with a very effective mechanism for hiding suspicious URLs, making this an ideal way to bypass growing user skepticism concerning clicking questionable and shortened URLs.  
2. Circumventing corporate controls – If users receive a QR-based phishing email on their work computer, they will likely scan the code using their phone. Cybercriminals know personal devices may have less built-in security than a company computer or phone. It’s a subtle way of encouraging victims to use devices not under corporate control and are, therefore, less likely to

…