QR or quick-response codes have spread rapidly and become a facet of daily life since being introduced in 1994 - originally for labelling parts in the Japanese car manufacturing industry.
QR codes are now used for validating concert tickets, accessing online order systems at restaurants and for a whole host of other nifty applications that make day-to-day life easier. However, as the usage of QR codes has grown, so has their appeal for misuse by cybercriminals.
How do scammers target users with QR codes?
Other than their popularity, the most appealing QR code feature to criminals is that, before scanning a code, it is not possible to know what data it contains. Therefore, if a QR code links to a website, users can only find out which website they will be linked to once they have already scanned the code.
QR Code Phishing is sometimes alternatively known as 'quishing'.
While QR codes scams can and do happen just about everywhere a QR code can be present, a growing attack vector is codes embedded into business emails. Many business email systems rely on scanning the content of incoming emails, including URLs, to detect and block malicious attachments and links. By including a QR code instead of a direct link, criminals can entirely bypass these email filters, and slip a malicious link into a user's mailbox through an email that looks entirely innocuous to threat detection systems.
Moving users to a less secure platform
In addition to bypassing email filters, QR code-based scams give criminals the additional benefit of moving their targets from their laptops, which are more likely to be equipped with business endpoint protection software, to mobile devices, which will often lie outside business IT security systems and allow users less space to spot inconsistencies in URLs or landing pages.
What QR code templates are available
We've created twenty pre-made templates of some of the most common QR code 'quishing' scams for you to use. These templates will help you educate and train your users on the most likely forms of QR phishing they're likely to encounter. Below is an example of one of the most popular templates - but you can find the full list by searching 'QR' in the uPhish Email Library.
Microsoft/Google MFA Set-Up
Many QR code scams revolve around setting up Multi-Factor Authentication, since this is something that users are used to setting up with QR codes.
How to add a QR code to a simulation email or template
In the builder, you can simply drag-and-drop a QR code tile into your email or template. The QR code will automatically link to whichever domain is chosen for the simulation it's used in.
How to train users on QR code scams
Our uLearn training module 'Staying safe from QR Code phishing emails' is perfect for building awareness of the risks and signs of quishing attacks amongst your end users. You can also use the module as 'inline training' for your simulation to double-up training for compromised users.
How to send a QR code phishing simulation to your users
You can send a QR code-equipped phishing email to your users either from a pre-made usecure template, or by creating a new email from scratch.
Create a new simulation in uPhish
Click uPhish -> Create new simulation in the top menu bar
Select your landing page
Use any landing page that fits your organisation - for example, a Microsoft 365 or Google Workspace log-in screen.
Select a QR-code equipped template, or create your own
Search 'QR' to find all QR-enabled templates, or drag-and-drop a QR block into a custom email.
Send out your email and track user response
The QR code in the email will automatically link users to whichever landing page you selected when creating the simulation.
Next steps