Malicious QR code scams date back at least
to 2021. They even have their own name: quishing. And earlier this year, the FBI warned that bad actors in North Korea were running quishing scams in this country.
Still, we were
a little unsettled to find that Fox, which has covered quishing several times, had itself been the target of such a scam.
“We received an email that looks like an official HR
notice about a performance review. It mentions pay updates, benefits and a deadline,” Fox wrote. “There is also a QR code to access your file.”
Where does it go from
there?
“The message claims to come from an internal HR office,” Fox writes. “Instead, it pushes us to scan a QR code to access your appraisal. That
setup is a classic phishing move. In many cases, these scams try to move you off your computer and onto your phone, where it is harder to verify links.”
advertisement
advertisement
A maneuver like this might end up with a person’s login credentials
being exposed, along with other critical information.
At least Fox was smart enough to see it for what it was. Smaller firms may not be as security-conscious. And aside from that, it means
more inbox competition for legitimate marketers.
Here's how the FBI defines quitting:
"Quishing (QR Code Phishing) is a phishing
technique in which adversaries embed malicious URLs inside
QR codes to force victims to pivot from their corporate endpoint to a mobile device,
bypassing traditional
email security controls. Tracked by MITRE ATT&CK as [T1660], Quishing campaigns commonly deliver
QR
images as email attachments or embedded graphics, evading URL inspection, rewriting, and sandboxing.
After scanning, victims are routed through attacker-controlled redirectors that collect device and identity
attributes such as user-agent, OS,
IP address, locale, and screen size [T1598 / T1589] in order to
selectively present
mobile-optimized credential harvesting pages [T1056.003] impersonating Microsoft
365, Okta, or VPN portals."
The FbI continues, "Quishing operations frequently end with session token theft and replay [T1550.004], enabling attackers
to bypass multi-factor authentication [T1550.004] and hijack cloud identities without triggering typical “MFA failed”
alerts. Adversaries then establish persistence in the organization [T1098] and propagate secondary spearphishing from the compromised mailbox
[T1566]. Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and
network inspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments."
What are the telltale signs of a quishing email? Fox offers the following red flag (and we quote):
- The sender's email does not match the
company's
- The email creates urgency with a deadline
- The QR code is the main call to action
- The
greeting is generic instead of personal
- The email uses vague HR system language
- The branding looks real yet feels
off
- The high-importance flag adds pressure
- The instructions bypass normal login habits
Don't fall
for it.