Three QR codes with threatening emojis in the centre

The QR code you are about to scan might be a phishing scam

QR codes are widely used today. Codes are a common technique to rapidly access a certain document or website and are used in anything from restaurants to commercials to sporting events. The COVID epidemic helped make QR codes more widely accepted after they had previously been considered a semi-niche technology.

It is simple and convenient to use a QR code. Additionally, it is paperless, which may appeal to the eco-conscious while in restaurants, many of which have replaced paper menus with QR codes.

The QR code is quite impressive when used as suggested. Simply aim the camera of your smartphone at a QR code, and a link to the specified website will appear for you to click.

However, QR codes also opened new possibilities for scammers. The fact that you are unaware of the specified webpage linked to the code, nor its legitimacy. Bad actors have the ability to interfere with them and lead victims to malicious websites where their financial and personal information is stolen.

A new phishing scam posing as DHL is currently in progress online, claims a recent blog post from the antivirus company Kaspersky. The way the cybercriminals behind this effort, however, are exploiting QR codes to avoid detection, makes it unique.

How can a phishing scam use a QR code?

A false DHL-themed email signals the start of an attack. Although the sender’s address is a random string of letters and numbers that has nothing to do with the courier service’s name, the message body has a corporate logo, an order number and the purported date of package arrival, all of which are highly convincing.

An order has arrived at a nearby post office, and the courier was unable to deliver it personally, according to the notice (which is in Spanish). Normally, a link to “resolve the issue” would be included with such bait, but this time there is a QR code.

DHL scam
Email claiming to be from DHL contains a Malicious QR code (Kaspersky)

Scanning a black-and-white square that can be seen on product packaging, advertising posters, business cards, or elsewhere offers a rapid path to the relevant website. QR Codes are most frequently used to send links offline.

The plan appears to be that even if the victim reads the email on a PC at first. They will still need to use a smartphone to read the QR code, which will cause the malicious website to load on a small screen on a mobile device where phishing scam signs are more difficult to identify.

URLs are partially hidden in mobile browsers because of space limitations. Recently, the address bar in Safari was moved to the bottom of the display, where many users hardly look. Because the URL of the fake site looks nothing like the legitimate one, this directly benefits the cybercriminals.

It’s doubtful that the fraudsters will begin charging the victim’s card right away so that they won’t associate the debits with the fake “DHL” email. It is more likely that they will sell the payment information on the dark web, and the purchaser from that site will be the one who steals the money later.

Keep yourself safe

The risk lies in the site that the QR code takes you to, not the QR codes themselves.

  • Always verify the email address of the sender when you get an email pretending to be from a well-known service. If what follows the @ is not the company’s actual name, it is likely to be a scam.
  • Only use trustworthy retailers and service providers when paying with QR codes.
  • After scanning a code, verify the site URL to make sure it is authentic. Check the address for spelling errors.
  • If you’re expecting a shipment, be sure to write down the tracking code and monitor the status of the package on the official website by manually entering the URL.
  • Avoid using QR readers in public spaces or other vulnerable areas.
  • Install a trustworthy antivirus on each device that includes anti-phishing and anti-fraud protection so that you are alerted as soon as a threat arises.
  • All your email, banking, and other private accounts should have multifactor authentication enabled.
  • Update the operating system on your smartphone. By updating, you can be sure that your phone is outfitted with the most recent security protocols.

We are particularly vulnerable to QR codes’ exploitation since they are still relatively new to many of us. To address QRishing, little study has been done. So long as we don’t know more, use QR codes with caution.

Help your colleagues spot these phishing emails by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts