Why scanning QR codes shared on emails and messages may not be a good idea

Threat actors are sharing emails and messages pretending to be from big tech companies to share QR codes that direct users to fake webpages used to collect sensitive user data and launch phishing attacks

November 02, 2023 04:48 pm | Updated 05:27 pm IST

Cybercriminals use emails and messages pretending to be from big tech companies to distribute fake QR codes.

Cybercriminals use emails and messages pretending to be from big tech companies to distribute fake QR codes. | Photo Credit: KK Mustafah

Cybercriminals use emails and messages pretending to be from big tech companies including Microsoft and its cloud services Office 365 to distribute QR codes. When scanned, these QR codes take users to a convincing replica of login pages of online accounts. Credentials entered in these pages are collected by threat actors to be sold on the dark web or used to launch further attacks including to hijack users accounts, launching ransomware attacks and expanding the number of victims.

Leveraging the threat of expiring credentials

Cybercriminals typically share emails with a notification saying the user account password is about to expire, after which the user will lose access to their mailbox and that the password must be changed by scanning the QR code in the email and following the instructions.

“Authenticator session has expired today” is another hook used by threat actors to get users to scan QR codes. Usually, the QR codes come with the promise of re-authenticating password security to lure unsuspecting users into scanning them.

Cybercriminals also make use of “verified” stamp in the email that is used by scammers to persuade users to clock a link or open a file. And while the stamp may not be enough to fool users well versed with emails, it has been known to been used by cybercriminals.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

When users scan the QR codes, they are redirected to a convincing looking replica of log in pages. Threat actors are also known to make use of Inter Planetary File System (IPFS) resources which is a communication protocol for sharing files similar to torrents. The protocol allows for publishing files on the internet without domain registration, hosting, or other complications, Kaspersky shared in a blog post.

The protocol is used by scammers because it is much easier to publish and much harder to remove a phishing page than blocking a “regular” malicious website.

How to guard against phishing attack using QR codes

Users should not scan QR codes from untrusted sources. Users should also keep in mind that no authentication system will provide QR codes as the only method to authenticate passwords for continued access to user accounts. Therefore, emails asking you to confirm something or sign into an existing account or reset password and QR codes as the only method to do so should be ignored or reported as spam.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.