QR Code Phishing, or “Quishing”, is on the rise.

Some Microsoft users have recently received emails with a curious attachment: a PDF file containing a QR code and an urgent message instructing them to set up multi-factor authentication (MFA).

When users scan the QR code, they are redirected to a fake Microsoft sign-in page on their phone. Here, they enter their legitimate login credentials, such as usernames and passwords, which are then stolen by the attackers.

AT&T's Managed Detection and Response (MTDR) security operations center has reported a notable increase in emails with QR codes over the past several months. Unfortunately, many users have fallen victim to the attack and their credentials have been compromised.

In other words, scammers are sending emails to Microsoft users that appear to be from Microsoft. The emails contain a QR code that, when scanned, takes the user to a fake Microsoft sign-in page. Once the user enters their login credentials on the fake page, their credentials are stolen by the scammers.

AT&T's security team has seen a big increase in the number of these types of emails in recent months. Unfortunately, many users have fallen victim to the scam and their credentials have been compromised.

AT&T tried to blaze a trail with naming conventions, stating that “This type of attack is called “quishing.” However, many in the cybersecurity community are lashing out against what is seen by many to be the proclivity for organizations to title new attack types by smashing two words together, so the world will have to wait and see if that name actually catches on.

Get Some Protection

Meanwhile, organization may be asking how they can better protect their personnel and operations against this form of attack.

Per AT&T, “Phishing attacks and credential harvesters have been in use for some time. However, as the use of QR codes becomes more commonplace, take care to verify the domain that a QR code is associated with before you scan it. Additionally, avoid scanning the QR code with your mobile device. Typically, there are fewer security measures in place on a mobile device than on a network-connected corporate device.”

To summarize, for personnel to protect themselves from QR code phishing attacks they should:

• Only scan QR codes from trusted sources.

• Verify the domain that a QR code is associated with before you scan it.

• Avoid scanning QR codes with your mobile device.

If credentials have been compromised:

• Immediately close all active sessions for compromised services.

• Reset your passwords.

A good Chief Information Security Officer (CISO) can help organizations define and communicate protective policies and procedures for personnel. With CISOs hard to find these days, companies like Webcheck Security are godsends, as they provide virtual CISOs (vCISOs)—sometimes known as fractional CISOs—that act as internal leaders for organizations and provide the necessary security program leadership. Contact Webcheck to set up a discussion of your organization’s needs.