Barracuda threat intelligence researchers have detected more than half a million phishing emails with quick response (QR) codes embedded in PDF documents.
QR codes that lead to phishing websites are now being included in PDF documents and attached to emails — versus being included in the emails themselves.
The attacks are designed to capture login credentials for compromise.
UNDERSTANDING THE THREAT
QR code phishing, also known as quishing, is a type of social engineering attack. Cybercriminals try to trick victims into using the camera on their mobile phone to scan a QR code that goes to a malicious website to steal sensitive information, such as login credentials or financial data.
Cybercriminals are evolving the ways in which they are using QR codes to carry out attacks. In the three-month period from mid-June to mid-September, Barracuda researchers identified and analysed more than half a million phishing emails with QR codes embedded in PDF documents. The PDFs are attached to phishing emails that use brand impersonation and urgency to motivate would-be victims to respond. This is a notable change in tactics: In the past, QR codes were traditionally included in the body of the phishing emails.
Quishing attacks by the numbers
In a three-month period, Barracuda researchers identified and analysed more than half a million phishing emails with QR codes embedded in PDF documents.
In most of the attack samples analysed by Barracuda researchers, scammers impersonate well-known companies. Microsoft, including SharePoint and OneDrive, is impersonated in more than half (51%) of all the attacks, followed by DocuSign (31%), and Adobe (15%). In a small number of the attacks, scammers impersonate the human resources department at the intended victim’s company.
In these attacks, cybercriminals send phishing emails and attach a simple one or two-page PDF document that includes a QR code. No other external links or embedded files are included in the PDF. Recipients are directed to scan the QR code with the camera on their mobile phone, so they can view a file, sign a document, or listen to a voice message. If they do so, they are brought to a phishing website designed to capture their login credentials.
Brands being impersonated
Scammers impersonate well-known brands and use social engineering tactics to trick victims.
Quishing poses some unique security challenges for businesses. Traditional email filters struggle to detect these attacks because there are no direct links or suspicious attachments to scan. Additionally, quishing often involves multiple devices: employees receive the phishing email on one device but scan the QR code using a different device, such as a personal mobile phone that may lack the same level of security protection as corporate systems. As a result, these attacks can bypass corporate defenses, making them difficult to track or prevent.
Certain industries — such as finance, healthcare, and education — are increasingly being targeted by quishing attacks due to the sensitive data they handle. Small-to-medium businesses (SMBs) are especially vulnerable since they often lack the advanced security tools needed to protect against these sophisticated phishing tactics. The shift in tactics from embedding QR codes in the body of an email to attaching them in PDF documents makes it harder for traditional defenses to identify and block these attacks before they reach employees.
EXAMPLES OF QUISHING EMAILS
In this phishing email that impersonates DocuSign, the recipient is directed to scan the QR code in an attached PDF document to review and electronically sign “secured documents.”
Recipients of this phishing email that impersonates Microsoft are told to scan the QR code in an attached PDF document to listen to a voice message.
This phishing email that impersonates Adobe tells recipients to scan the QR code in an attached PDF document to review an “Employee Benefits & Salary Adjustment Review” document.
DEFENDING YOUR BUSINESS FROM ATTACKS
Here are several ways to defend against quishing:
Deploy multilayered email security
Put robust spam and malware filters in place and ensure they are properly configured to
block phishing messages effectively. IT teams further need to perform a health check on email gateway settings regularly to ensure optimal performance.
Use AI and other advanced technology
Scammers are adapting their tactics to bypass gateways and spam filters, so it’s critical to have a solution in place that detects and protects against targeted phishing attacks. Supplement your gateways with AI-powered cloud email security technology that doesn’t solely rely on looking for malicious links and attachments.
Educate users
Be sure your security awareness training teaches employees about quishing and the risks of scanning QR codes from unknown or questionable sources. Ensure employees can recognise these attacks, understand their fraudulent nature, and know how to report them.
Enable multifactor authentication (MFA)
Provide an additional layer of security above and beyond username and password and reduce the potential impacts of credential compromise by using MFA to protect access to user accounts.
“Cybercriminals are constantly refining their phishing techniques to make attacks appear more legitimate and convincing to the unsuspecting victim, with the use of QR codes in PDF documents being one of many tactics we’re closely tracking. These attacks can easily evade traditional email filters, making them difficult to detect," Adam Khan, VP Global Security Operations, Barracuda
“Organisations must adopt multilayered email security with advanced AI that analyses not just links and attachments, but also potential impersonation attempts within attachments. Educating users about the risks of scanning QR codes from unknown or questionable sources is essential. Additionally, ensuring that spam and malware filters are properly configured, conducting regular health checks on email gateway settings, and enabling multi-factor authentication will significantly enhance overall protection.”
RELATED RESOURCES
[Report] Top Email Threats & Trends ~ June 2024
https://www.barracuda.com/reports/email-threats-and-trends-1
[Blog post] Quishing: What you need to know about QR code email attacks
https://blog.barracuda.com/2023/10/05/quishing-what-you-need-to-know-about-QR-code-email-attacks
[Blog post] Novel phishing techniques to evade detection: ASCII-based QR codes and ‘Blob’ URIs
https://blog.barracuda.com/2024/10/09/novel-phishing-techniques-ascii-based-qr-codes-blob-uri