GUEST ESSAY: How to mitigate the latest, greatest phishing variant — spoofed QR codes

By Allen Lieberman

QR code phishing attacks started landing in inboxes around the world about six months ago.

Related: ‘BEC’ bilking on the rise

These attacks prompt the target to scan a QR code and trick them into downloading malware or sharing sensitive information.

In June, we started seeing these types of attacks amongst our customer base. Since June, there has been a fourfold increase in the search volume around keywords associated with these types of attacks.

Within the last week we have identified 655,0000 QR codes for our customers, of which 1,000 contained suspicious text and 8,000 came from a domain with a low rank (a freemail or a new email address, which are both flags for malicious senders). This is a true reflection of the attack landscape.

Scans slip through

These attacks are so successful because many traditional email security tools focus only on text-scanning, allowing image-based attacks to slip through. When attacks reach the inbox, users have a natural reaction to “scan the code,” assuming it’s legitimate.

When they do, many users don’t have any apprehensions around scanning QR codes because the assumption is that QR codes are legitimate. Also, users generally receive the email on their device but scan the QR code with their phone.

Mobile phones often don’t have the same level of corporate protections that desktops do. A lot of companies find themselves looking in the rear-view mirror post-compromise to see the anomalies detected like a new IP address/device that sent the attack email.


At this stage, companies should (at a minimum) educate their employees about the prevalence of these attacks, and the key things to look out for as the most basic form of protection against them. For example, users should know that Microsoft, Zoom, ZenDesk and other platforms will NEVER ask you to log in via QR code, which is something that users may often fall prey to.

Attacker friendly

Looking at hacker economics here, it is easy to understand why these attacks are so popular: they come with a low investment of cost and time, and they can be scaled up without much effort. In some cases, these attacks are also hard to detect. As a few examples:

•Secure email gateways pick up the first URL a QR code sends them to, but not the malicious redirect.

•Text can be embedded in the image of the QR code itself, which text based systems won’t pick up – Optical Character Recognition (OCR) is required.

Best practices

So how do you defend your enterprise against QR code phishing attacks?

The first step business leaders should take is determining if there is a legitimate use case for QR codes being used via email in their business. QR codes only make life easier if they don’t come with a side of malware, or a scam to steal information. Beyond that, here are a few best practices:

•Determine if the email contains a QR code and if it is from an untrusted sender or a sender with a low domain rank. Each company has to determine what they deem to be an “untrusted sender,” it can be a sender with a recently registered domain, a first-time sender to the user or a user that has not been seen across the company or the platform.

•Read QR codes to determine if text is hidden in an image that isn’t in text form, or extract and follow the URL to determine if it is malicious. In image-based attacks, images can be added to a deny list and emails containing anything similar can be blocked.

•With the QR code landscape evolving and new QR codes coming out constantly, attackers can keep iterating these attacks. A recent method involves a malicious QR code in PDF attachments. As such, it is important to not only scan text and images in the email body, but in attachments as well.

•Use tooling to determine if you hover over the QR code and get a redirect. If not, you’ll know that the code is not legitimate.

Staying on top of how these attacks evolve and ensuring that your defense mechanisms follow suit can feel like a full-time job. However, cloud email security providers can offer a series of defense mechanisms—from QR code scanning, to perceptual hashing, OCR-based detection and URL and behavioral analysis.

Tools and services are readily available to ensure these attacks don’t hit users inboxes in the first place, and have a fighting chance at being successful in their phishing attempts.

Make sure to always check the waters before you swim (or in this case, scan).

About the essayist: Allen Lieberman is the Chief Product Officer at Tessian. Prior to Tessian, Allen was at VMware Carbon Black for nearly a decade, where he held roles including Senior Director of Product Marketing and VP of Product Management.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone