{"id":49388,"date":"2023-10-20T09:00:08","date_gmt":"2023-10-20T13:00:08","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=49388"},"modified":"2023-10-23T09:00:18","modified_gmt":"2023-10-23T13:00:18","slug":"qr-codes-in-phishing-emails","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/qr-codes-in-phishing-emails\/49388\/","title":{"rendered":"Received an email with a QR code? Watch out!"},"content":{"rendered":"<p><a href=\"https:\/\/securelist.com\/qr-codes-in-phishing\/110676\/\" target=\"_blank\" rel=\"nofollow noopener\">There\u2019ve been more and more cases<\/a> of users receiving emails seemingly from large internet companies (for example, Microsoft or its cloud service Office 365) containing QR codes. The body of these emails have a call to action: in a nutshell, scan the QR code to maintain access to your account. This post examines whether it\u2019s worth reacting to such messages.<\/p>\n<h2>Scan the QR code, or face the inevitable<\/h2>\n<p>A typical email of this kind contains a notification saying your account password is about to expire, after which you\u2019ll lose access to your mailbox, and so the password must be changed for which you need to scan the QR code in the email and follow the instructions.<\/p>\n<div id=\"attachment_49399\" style=\"width: 1510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23084257\/qr-codes-in-phishing-emails-01.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-49399\" class=\"size-full wp-image-49399\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23084257\/qr-codes-in-phishing-emails-01.jpg\" alt=\"Example of a phishing email with a QR code\" width=\"1500\" height=\"960\"><\/a><p id=\"caption-attachment-49399\" class=\"wp-caption-text\">The password must be reset by scanning the QR code<\/p><\/div>\n<p>Another email could warn the recipient that their \u201cauthenticator session has expired today\u201d. To avoid this, the user is advised to \u201cquickly scan the QR Code below with your smartphone to re-authenticate your password security\u201d. Otherwise access to the mailbox could be lost.<\/p>\n<div id=\"attachment_49400\" style=\"width: 1470px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23084417\/qr-codes-in-phishing-emails-02.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-49400\" class=\"size-full wp-image-49400\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23084417\/qr-codes-in-phishing-emails-02.jpg\" alt=\"Example of a phishing email with a QR code\" width=\"1460\" height=\"960\"><\/a><p id=\"caption-attachment-49400\" class=\"wp-caption-text\">\u201cAuthenticator session has expired\u201d \u2014 for a quick fix, scan the QR code<\/p><\/div>\n<p>A further example: the message kindly informs the reader: \u201cThis email is from a trusted source\u201d \u2014 we\u2019ve already talked about <a href=\"https:\/\/www.kaspersky.com\/blog\/phishing-stamp-verified\/44907\/\" target=\"_blank\" rel=\"noopener nofollow\">why emails stamped \u201cverified\u201d should be treated with caution<\/a>. The thrust of the message is that \u201c3 important emails\u201d supposedly cannot be delivered to the user due to lack of some kind of validation. Of course, scanning the QR code below will \u201cfix\u201d the issue.<\/p>\n<div id=\"attachment_49401\" style=\"width: 1510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23084752\/qr-codes-in-phishing-emails-03.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-49401\" class=\"size-full wp-image-49401\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23084752\/qr-codes-in-phishing-emails-03.jpg\" alt=\"Example of a phishing email with a QR code\" width=\"1500\" height=\"1321\"><\/a><p id=\"caption-attachment-49401\" class=\"wp-caption-text\">Important emails can be delivered only by scanning the QR code for \u201cvalidation\u201d<\/p><\/div>\n<p>Clearly, the authors of these emails want to intimidate inexperienced users with high-sounding words.<\/p>\n<p>They\u2019re also likely hoping that the recipient has heard something about authenticator apps \u2014 which do indeed use QR codes \u2014 so that their mere mention may stir some vague associations in their mind.<\/p>\n<h2>What happens if you scan the QR code in the email<\/h2>\n<p>The link in the QR code takes you to a rather convincing replica of a Microsoft login page.<\/p>\n<div id=\"attachment_49402\" style=\"width: 1510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23085324\/qr-codes-in-phishing-emails-04.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-49402\" class=\"size-full wp-image-49402\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23085324\/qr-codes-in-phishing-emails-04.jpg\" alt=\"Scanning the QR code opens a phishing site\" width=\"1500\" height=\"1340\"><\/a><p id=\"caption-attachment-49402\" class=\"wp-caption-text\">Scanning the QR code takes you to a phishing site that steals entered credentials<\/p><\/div>\n<p>Of course, all credentials entered on such phishing pages end up in cybercriminal hands. And this jeopardizes the accounts of users who fall for such tricks.<\/p>\n<p>An interesting detail is that some phishing links in QR codes lead to IPFS resources. IPFS (InterPlanetary File System) is a communication protocol for sharing files that has much in common with torrents. It allows you to publish any files on the internet without domain registration, hosting, or other complications.<\/p>\n<p>In other words, the phishing page is located directly on the phisher\u2019s computer and is accessible via a link through a special IPFS gateway. <a href=\"https:\/\/securelist.com\/ipfs-phishing\/109158\/\" target=\"_blank\" rel=\"nofollow noopener\">Phishers use the IPFS protocol<\/a> because it\u2019s much easier publish and much harder to remove a phishing page than blocking a \u201cregular\u201d malicious website. As such, the links live longer.<\/p>\n<h2>How to guard against phishing QR codes<\/h2>\n<p>No decent authentication system will suggest scanning a QR code as your <em>only<\/em> option. Therefore, if you receive an email asking you to, say, confirm something, or sign in to your account again, or reset your password, or perform some similar action, and this email only contains a QR code, you\u2019re probably dealing with phishing. You can safely ignore and delete such an email.<\/p>\n<p>And for those times when you need to scan a QR code of an unknown source, we recommend <a href=\"https:\/\/www.kaspersky.com\/premium?icid=gl_bb2023-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener nofollow\">our security solution<\/a> with its secure QR code scanner function. It will check the contents of QR codes and warn you if there\u2019s anything bogus inside.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Examples of how QR codes in emails are used for phishing.<\/p>\n","protected":false},"author":2598,"featured_media":49389,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683],"tags":[19,936,38,76,1557,97,4480,422],"class_list":{"0":"post-49388","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-email","9":"tag-kaspersky-qr-scanner","10":"tag-microsoft","11":"tag-phishing","12":"tag-qr-codes","13":"tag-security-2","14":"tag-signs-of-phishing","15":"tag-threats"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/qr-codes-in-phishing-emails\/49388\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/qr-codes-in-phishing-emails\/26505\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/qr-codes-in-phishing-emails\/21938\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/qr-codes-in-phishing-emails\/11130\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/qr-codes-in-phishing-emails\/29207\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/qr-codes-in-phishing-emails\/26785\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/qr-codes-in-phishing-emails\/26789\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/qr-codes-in-phishing-emails\/29273\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/qr-codes-in-phishing-emails\/28118\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/qr-codes-in-phishing-emails\/36431\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/qr-codes-in-phishing-emails\/11808\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/qr-codes-in-phishing-emails\/21125\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/qr-codes-in-phishing-emails\/21908\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/qr-codes-in-phishing-emails\/30612\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/qr-codes-in-phishing-emails\/27089\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/qr-codes-in-phishing-emails\/32795\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/qr-codes-in-phishing-emails\/32444\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/qr-codes\/","name":"QR codes"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/49388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=49388"}],"version-history":[{"count":6,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/49388\/revisions"}],"predecessor-version":[{"id":49403,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/49388\/revisions\/49403"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/49389"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=49388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=49388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=49388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}