Share This:

In today’s digital age, the use of technology continuously evolves to make our personal and professional lives more convenient. Quick Response (QR) code has been one such advancement. This two-dimensional barcode allows users to share website URLs and contact information or make payments. While QR codes have made our daily lives easier, they have also opened new avenues for cybercriminals to exploit. Also known as quishing, QR code phishing attacks are on the rise and present a significant threat to users and organizations alike.

How cybercriminals are using QR codes in email attacks

Hackers use QR codes in email attacks to trick recipients into visiting malicious websites or downloading malware onto their devices. These attacks typically involve social engineering tactics designed to exploit the trust that people often place in emails. Here are some examples of the tactics that cybercriminals are using:

Phishing links

Attackers embed QR codes in phishing emails, prompting users to scan the code and visit a fake page that appears to be a trusted service or application. Victims are usually tricked into entering their login credentials, which are then captured by an attacker.

Fake QR codes may also lead to surveys or forms that request personal information such as name, address, or Social Security number. Victims might be lured with promises of rewards or prizes in exchange for information or even a small payment.

Examples of QR code email phishing attacks:

QR code in phishing emails example

QR codes lead to well-crafted fake sign-in pages like this:


Malware downloads

Similarly, QR codes can link victims to malicious websites that automatically download malware onto the victim’s device when scanned. This malware can range from spyware to ransomware, allowing attackers to steal data or take control of a compromised device.

Compromised devices

QR codes can also be used to open payment sites, follow social media accounts, and even send pre-written email messages from victims’ accounts. This means that hackers can easily impersonate their victims, targeting others in their contact directory.

Detecting QR code attacks in email messages

QR code attacks are difficult to detect using traditional email filtering methods. There is no embedded link or a malicious attachment to scan. Email filtering is not designed to follow a QR code to its destination and scan for malicious content. It also shifts the actual threat to a different device that may not be protected by corporate security software.

Using AI and image recognition technology is one of the ways to detect these attacks. A fake QR code is usually not the only sign of a malicious email. AI-based detection will also take other signals into account — such as senders, content, image size, and placement — to determine malicious intent. Barracuda Impersonation Protection will use these and other techniques to identify and block QR code scams.

Educate users so they can anticipate these attacks. If QR code attacks are not part of your security awareness training yet, make sure they are covered in the future. Your users should exercise caution when scanning QR codes delivered through email or other methods.

Photo: Kinga / Shutterstock

Share This:
Olesia Klevchuk

Posted by Olesia Klevchuk

Olesia Klevchuk is a Senior Product Marketing Manager for email security at Barracuda Networks. In her role, she focuses on defining how organizations can protect themselves against advanced email threats, spear phishing and account takeover. Prior to Barracuda, Olesia worked in email security, brand protection, and IT research.

Leave a reply

Your email address will not be published. Required fields are marked *