Received an email with a QR code? Watch out!

Examples of how QR codes in emails are used for phishing.

Why you shouldn’t scan QR codes in emails

There’ve been more and more cases

of users receiving emails seemingly from large internet companies (for example, Microsoft or its cloud service Office 365) containing QR codes. The body of these emails have a call to action: in a nutshell, scan the QR code to maintain access to your account. This post examines whether it’s worth reacting to such messages.

Scan the QR code, or face the inevitable

A typical email of this kind contains a notification saying your account password is about to expire, after which you’ll lose access to your mailbox, and so the password must be changed for which you need to scan the QR code in the email and follow the instructions.

Example of a phishing email with a QR code

The password must be reset by scanning the QR code

Another email could warn the recipient that their “authenticator session has expired today”. To avoid this, the user is advised to “quickly scan the QR Code below with your smartphone to re-authenticate your password security”. Otherwise access to the mailbox could be lost.

Example of a phishing email with a QR code

“Authenticator session has expired” — for a quick fix, scan the QR code

A further example: the message kindly informs the reader: “This email is from a trusted source” — we’ve already talked about why emails stamped “verified” should be treated with caution. The thrust of the message is that “3 important emails” supposedly cannot be delivered to the user due to lack of some kind of validation. Of course, scanning the QR code below will “fix” the issue.

Example of a phishing email with a QR code

Important emails can be delivered only by scanning the QR code for “validation”

Clearly, the authors of these emails want to intimidate inexperienced users with high-sounding words.

They’re also likely hoping that the recipient has heard something about authenticator apps — which do indeed use QR codes — so that their mere mention may stir some vague associations in their mind.

What happens if you scan the QR code in the email

The link in the QR code takes you to a rather convincing replica of a Microsoft login page.

Scanning the QR code opens a phishing site

Scanning the QR code takes you to a phishing site that steals entered credentials

Of course, all credentials entered on such phishing pages end up in cybercriminal hands. And this jeopardizes the accounts of users who fall for such tricks.

An interesting detail is that some phishing links in QR codes lead to IPFS resources. IPFS (InterPlanetary File System) is a communication protocol for sharing files that has much in common with torrents. It allows you to publish any files on the internet without domain registration, hosting, or other complications.

In other words, the phishing page is located directly on the phisher’s computer and is accessible via a link through a special IPFS gateway. Phishers use the IPFS protocol because it’s much easier publish and much harder to remove a phishing page than blocking a “regular” malicious website. As such, the links live longer.

How to guard against phishing QR codes

No decent authentication system will suggest scanning a QR code as your only option. Therefore, if you receive an email asking you to, say, confirm something, or sign in to your account again, or reset your password, or perform some similar action, and this email only contains a QR code, you’re probably dealing with phishing. You can safely ignore and delete such an email.

And for those times when you need to scan a QR code of an unknown source, we recommend our security solution with its secure QR code scanner function. It will check the contents of QR codes and warn you if there’s anything bogus inside.