“How safe is it to scan that QR code in my email?”
Let’s delve a little deeper into QR Codes…
In today’s digital age, the use of technology continuously evolves to make our personal and professional lives more convenient. Quick Response (QR) code has been one such advancement. This two-dimensional barcode allows users to share website URLs and contact or product information or make payments. While QR codes have made our daily lives easier, they have also opened new avenues for cybercriminals to exploit. Also known as quishing, QR code phishing attacks are on the rise and present a significant threat to users and organizations alike.
How cybercriminals are using QR codes in email attacks
Hackers use QR codes in email attacks to trick recipients into visiting malicious websites or downloading malware onto their devices. These attacks typically involve social engineering tactics designed to exploit the trust that people often place in emails.
How can you identify a quishing attack?
Spotting a quishing attack can be challenging due to the inherent nature of QR codes, which hide their contents until scanned. Unlike traditional phishing attacks, quishing emails contain QR codes as plain images or within attachments with non-suspicious extensions, allowing them to bypass malware detectors and email filters. This means they can evade detection and not be relegated to the spam folder, leaving individuals vulnerable to social engineering tactics.
To guard yourself from QR code deception, it’s important to be vigilant and look for certain signs before scanning a QR code and the below tips may just provide that extra help:
Unexpected or unsolicited QR codes
Be cautious of QR codes that appear in unsolicited emails or messages, especially if they prompt you to take immediate action.
Lack of context or explanation
Legitimate QR codes are usually accompanied by clear explanations of their purpose. Be wary of codes that lack context or a credible source.
Suspicious sender
Check the sender’s email address or contact information for any signs of illegitimacy, such as misspellings or unusual domain names.
Urgency or pressure
Scammers often create a sense of urgency to prompt quick action. Be sceptical of messages that pressure you to scan a QR code immediately.
Use a secure QR code scanner
Some QR code scanner apps offer security features that check the safety of the link before opening it. Consider using such an app to add an extra layer of protection.
Examples or Quishing or QR Code Phishing may look like this in the body of an email:
Or even a suggestion that you need to re-authenticate your security:
Hackers frequently pose under the banner of Microsoft as a trusted source and often the unsuspicious user may not think to query its legitimacy.
By following the recommendations above, you can enhance your defence against quishing attacks and protect your sensitive information from falling into the wrong hands.
Is there anything else that can help?
The answer is yes, by implementing a secure email protection platform using AI is one of the ways to help detect these attacks. A fake QR code is usually not the only sign of a malicious email. AI based detection will also take other signals into account such as senders, content, image size, and placement to determine malicious intent.
PurpleJelly can help with Impersonation Protection and will use these and other techniques to identify and block QR code scams.
One more piece of advice is to educate users so they can anticipate these attacks. If QR code attacks are not part of your security awareness training yet, please make sure they are covered in the future.
Contact PurpleJelly for professional advice on email security and other cybersecurity issues. Call us on 01252 856 230 or complete the contact form to find out how we can elevate your Cyber Protection.