QR code phishing: How to spot these malicious attacks

As users become more vigilant to traditional phishing attempts, hackers have resorted to new techniques in order to lure unsuspecting individuals into falling for these attacks.

A rise in the embedded QR code technique has been gaining popularity both here at UC Davis Health and around the UC system.

What is an embedded QR code?

A QR code, which stands for “Quick Response” code, is a type of barcode that can be scanned by a smartphone’s camera to access information like a website URL, contact details, or other data quickly.

When scanning a QR code with your smartphone, a yellow link will pop up that users can tap on, which will take them to the webpage URL. It’s a simple way of getting an unsuspected user to access a malicious URL. 

How are QR code phishing attempts happening? 

UC Davis Health’s email filter automatically screens and filters out emails where a QR code appears within the email’s main content, meaning, you should never see it. However, if the attacker embeds a QR code in an attachment like a PDF or Word document, the filter will allow these emails to come through. Staff then open the attachment and are instructed to scan the QR code displayed inside and are asked to use their UC Davis Health login credentials to access the content.

The hacker now has access to your credentials.

What do these malicious emails look like?

Below are two examples of emails with malicious attachments.

Example 1:

Example 2:

In both examples, you should notice that the from address is suspicious.

Additionally, the emails contain no content and force the receiver to open the attachment for information (remember to never download or open an attachment from someone you are not expecting an attachment from).

It’s also important to note that in both of these examples, the hacker is supposedly providing critical information that the user would feel the need to open and obtain (benefits information and a revised UC Davis handbook). They want you to bypass security protections, such as alerting the IT team or anyone else by making the information easily accessible with just your credentials.

How to protect yourself and UC Davis Health

While the UC Davis Health Cybersecurity team continuously monitors for potential threats, it is critical that staff remain vigilant in their efforts to avoid phishing attacks. Be careful in opening attachments, never click or scan a QR code presented inside an email, and be suspicious of “must have information” that is coming from unknown senders with quick, clickable access to said information. When in doubt, your best defense is to contact the Help Desk to verify the information at 916-734-HELP (4357).

For more information about phishing attacks, check out the articles listed below.

• Phishing 101: what it is and how to avoid it
• Types of phishing attacks and how to avoid them