Cybercriminals have found a new way to steal login credentials, and it only takes one quick scan of a QR code. The US and Europe are among the targeted regions.
Phishing has been on the rise, but this technique might catch you unprepared. Cybercriminals are increasingly using QR codes to trick users into navigating to malicious websites, a technique also often known as quishing.
A QR code is a scannable image that can hold anything from text to links. Using your phone’s camera, you can instantly open websites or dial numbers with a quick tap.
QR codes are a perfect playground for cybercriminals. Unlike traditional phishing scams, where sketchy links and buttons give you at least a fighting chance to spot the trap, quishing is sneakier. One scan, and you could be handing over your credentials without even realizing you’ve been played.
Unit 42 researchers have identified that since 2024, attackers have been using new tactics to trick their victims with QR codes. The victims are lured into entering their Microsoft credentials, which travel straight to the hands of threat actors.
However, a QR code scam isn’t just about tricking you – it’s about deceiving security systems, too. Attackers use trusted redirects and Cloudflare Turnstile as a means of human verification to slip past security crawlers, making fake login pages look 100% real.
These tactics are extremely sophisticated, as some of the attackers pick very specific targets.
“We found that some of these phishing sites are specifically targeting the credentials of particular victims, suggesting pre-attack reconnaissance,” write the researchers.
The attacks are widespread across the US and Europe and impact various industries, including the medical, automotive, education, energy, and financial sectors.
How does QR code phishing work?
As described in the report, the victim first receives an email with a PDF file impersonating Adobe Acrobat Sign, DocuSign, or company payroll update documents, prompting the user to sign a document.
The scam relies on tricking victims into scanning a QR code with their smartphones. By embedding the phishing link inside the code, attackers dodge traditional security scans – plus, victims are more likely to use their personal (and often less secure) devices, making them easy targets.
The crooks often know the drill. They slap a company logo, an HR email, and a few key dates onto the document, and suddenly, it looks like an official notice, tricking users into letting their guard down.
Attackers often hide the final malicious site behind redirection mechanisms or exploit open redirects from trusted websites, making the malicious link harder for users and security crawlers to spot.
While we’ve been taught to check URLs closely, QR codes add a new layer of deception. Victims can only see the domain name, so even the sketchiest links look harmless at first glance.
The final blow in these attacks is credential harvesting, where victims are duped into logging into fake pages that mimic the Microsoft 365 login, only to have their sensitive data snatched away.
What’s truly alarming is the precision of these attacks. Attackers aren’t just casting a wide net – they’re using a targeted list of names, customizing fake login pages to reject random credentials, and only accepting the ones tied to their victims.
It’s a clear sign of a highly focused, sophisticated operation designed to maximize the chances of success.
How to avoid QR scams?
- Never scan QR codes received from strangers
- Even if a message is from someone you know, first check if your contact has actually sent you the code before clicking on it
- If a message comes from a government agency, call or email it directly to make sure it is legitimate
- Some antivirus software comes with a QR-scanning functionality – this will prevent you from downloading malicious software
- Do not enter any personal details or other sensitive information into websites you don’t know
Your email address will not be published. Required fields are markedmarked