We have previously alerted you to vishing and smishing schemes [view related post]. A new scheme, using QR codes, is called QRishing or quishing. According to security company Abnormal, between September 15 and October 13, 2021, it identified a new way for hackers to try to get around security measures put in place to keep users from clicking on malicious links or attachments. The phishing campaign they detected was designed to collect Microsoft credentials using QR codes.

According to Abnormal, the threat actors used compromised email accounts to send QR codes that looked like a missed voice mail to users.  Although the threat actors were unsuccessful in getting users to click on the QR code or take a picture of it and send it to their email account in order to click on it, the point is that attackers are getting increasingly more creative and embedding malicious code behind QR codes, which became widely used by restaurants and other establishments during COVID. Many people had never heard of a QR code or used one until COVID hit, and no one seems particularly concerned about taking a picture of a QR code when instructed to do so.

The tip here is to be cautious of QR codes, especially in an email or text, and specifically if someone is asking you to click on it or it is linked to a missed voicemail message. If QR codes are emailed, they might not be detected by the email security system, which is exactly what the attacker has designed it to do so it is delivered to your email box, giving you the chance to click on it and compromise your Outlook credentials. The new mantra is don’t click on suspicious links, attachments, or QR codes.