Recently, we have noticed a surge in phishing threats related to QR codes. In this quick read, we will tell you how to identify and protect yourself from this emerging threat.
QR codes (short for quick response code) are a legitimate, two-dimensional bar code technology created in the mid-nineties. Today, they are often used to simplify entering a long website address. You can point your cell phone camera at a QR code and click on a link to the corresponding website. You might have encountered them in a restaurant to access a digital menu. Generally speaking, they are harmless.
However, in the last few weeks, we've noticed that cybercriminals are now sending QR codes via email in hopes of directing you to malicious sites. They embed these QR codes in "official-sounding" messages from Microsoft, Google, or other trusted vendors asking you to validate your account. Essentially, this is just the latest variation of an email phishing scam that people are now calling "quishing."
What to Do
There are very few legitimate reasons you should receive a QR code in email. Unless it is a QR code you requested, assume the code is malicious and delete the email. At the very least, treat the email with high suspicion. QR codes are also embedded in email attachments, such as PDF files. You should treat these with the same level of suspicion.
We've written about ways to spot a phish (Five Tricks to Identifying a Phishing Attempt). Also, be wary of these tactics:
#1 - Urgency
When you get an email, and the verbiage is such that it immediately makes you panic a little, you are probably dealing with a phishing attempt. The message can come from many different directions, but if its tone is one that makes you think you have to act immediately, you should calm down and verify the message with a call or text. Also, be skeptical of password alerts. If the email mentions passwords, such as “your password has been stolen,” it's likely a scam.
#2 - Attachments
Unless you are expecting an email or you know exactly who is sending you a message, you should never click on an attachment. This goes double if it is from a financial institution. No reputable bank will send you a downloadable attachment unless you directly communicate with them.
#3 - Spelling and Grammar Errors
Phishing emails tend to be written by people whose first language isn’t English, and they tend to make terrible spelling and grammar mistakes. If the content of the message is riddled with typos, you might be dealing with a phishing email.
#4 - Illegitimate Addresses
Finally, one of the telltale signs that you are being phished is the legitimacy of the links and addresses in the message itself. Here’s a quick, short guide to help you and your staff:
- Check the email address in the header. An email from Amazon wouldn’t come in misspelled as noreply@amazn.com. Do a quick Google search for the email address to see if it is legitimate.
- Ultimately, if you do activate the link associated with the QR code, validate that it points to a legitimate site.
- paypal.com - Safe
- paypal.com/activatecard - Safe
- business.paypal.com - Safe
- business.paypal.com/retail - Safe
- paypal.com.activatecard.net - Suspicious! (notice the dot immediately after Paypal’s domain name)
- paypal.com.activatecard.net/secure - Suspicious!
- paypal.com/activatecard/tinyurl.com/retail - Suspicious! Don’t trust dots after the domain!
Remember
Never click a link, open an attachment, or scan a QR code unless you are sure it is safe. If in doubt, please contact our Help Desk team for guidance. We are always happy to help!