eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Since the onset of the COVID-19 pandemic, most businesses across a wide range of industries have begun using Quick Response (QR) codes to provide a contactless experience for their customers. The QR code is a square pixelated barcode that can be read by digital devices such as your smartphone camera.
These codes are often used for many legitimate purposes, such as helping you navigate to a website, set up multi-factor authentication (MFA) for a software application, access Wi-Fi, and more. For example, restaurants used QR codes in place of physical menus, and retail stores used them to share detailed product information with their customers.
Unfortunately, due to the abstract design of QR codes, it’s nearly impossible to tell where the code will direct you to. Unlike traditional phishing attacks where you may be able to identify a suspicious URL by hovering over the hyperlink to see if the destination URL matches the text URL provided to you, QR codes hide the URL, making it difficult for you to detect.
This has presented many threat actors with ample opportunities to exploit QR codes to embed malicious URLs containing malware or phishing websites to collect your sensitive data.
In fact, our Threat Response Unit (TRU) recently investigated an Adversary-in-the-Middle (AiTM) phishing attack in which the threat actor(s) impersonated one of our customers’ HR personnel and used a QR code to entice the employee into scanning it with their phone.
Why are QR Code-based Phishing Attacks Dangerous?
Recently, we have seen a significant rise in the use of QR code phishing attacks, known as “Qishing” or “Quishing.” Instead of providing a direct text link for users to click, threat actors use QR codes in phishing emails to bypass link filtering and security controls.
The subject matter of the QR phishing emails often changes, but the common thread is asking users to scan a QR code with their phone. Scanning the QR code brings users to a malicious website that often mimics a genuine platform like Microsoft Office 365 and asks them to log in. Once the users enter their credentials, they are shared directly with the threat actor.
Attackers benefit from the QR phishing attack tactic because phones and other mobile devices are often less secure, given that security teams don’t have visibility into the camera or browser activity.
Examples of Exploited QR Codes Observed in the Wild
Example 1: The adversary sends an email that looks to come from Microsoft and tries to get you to scan the QR code to complete your MFA setup
Example 2: The email appears as though it has a valid DocuSign contract
Example 3: The threat actor lures you with an email about salary and employee benefits and provides explicit directions to use your smartphone camera to scan the QR code
Best Practices for Opening QR Codes
At their core, QR codes are the same as any other link to a web page, so it’s best to apply the same scrutiny you would when clicking a link. Ask yourself:
Do you recognize the sender, and is the email address correct?
Have you ever received a legitimate email like this before?
Were you expecting the email? Avoid scanning codes in unsolicited emails.
Does the tone or wording of the email seem off?
Are they pressuring you to take immediate action or threatening you will lose access?
Preview the link and check for unfamiliar sites or misspellings in the URL.
We also recommend you don’t scan publicly posted QR codes on posters, etc.
How to Preview a QR Code Link
Your phone can help you preview where the QR code links to, however, these can sometimes be truncated.
On an iPhone, the link preview is only displayed if your default browser is set to Safari.
For Android, the preview will display for any browser.
Open your camera app and hover over the QR code. A link preview should be displayed on the screen, as seen in the image below.
Report Phishing Emails
If your employees receive an email suspected of phishing, they must know to report the emails as soon as possible to prevent others from falling victim to QR Code phishing attacks.
More importantly, you must establish a safe cyber culture at your organization and encourage your employees to report phishing attacks, especially if they fall for the scam. The goal here is so your security team can isolate the affected device ASAP to prevent lateral spread.
At eSentire, we have rolled out a “Report a Phish” button organization-wide within our Microsoft Outlook applications so our employees can report phishing emails immediately. Once a user clicks the button, a dialogue box opens with two important questions:
After the user answers the questions and submits the form by clicking “Report Email,” they’re presented with the following information. At this point, they can review and click “Close and Delete” to complete the reporting process.
Implement a Phishing and Security Awareness Training Program to Build User Resilience Against Cyberattacks
Threat actors are constantly evolving their tactics, techniques, and procedures (TTPs) to develop novel attack methods. So, you shouldn’t expect a one-time training exercise to be sufficient in raising security awareness with your employees.
The key is implementing a training program that can be iterated upon, especially since employees don’t always understand where they go wrong, limiting their ability to ward off real threats. Therefore, you need a comprehensive phishing and security awareness training program that tests the capabilities of your team to understand phishing threats and the escalation procedure, and more importantly, trains them continuously.
Our Managed Phishing and Security Awareness Training (PSAT) program helps you identify risk and test user resilience to enable behavioral change with your employees and generate measurable results across your organization. Here’s how our PSAT program works:
Our end-to-end service alleviates the resources required to keep your employees resilient against the most sophisticated social engineering tactics (e.g., phishing, SEO poisoning, business email compromises, and more).
eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
