QR Codes Enable New Enterprise Phishing Threat

Corporations are increasingly being targeted by scam QR codes embedded in PDF documents attached to emails, security researchers have warned, as attackers use the technique to bypass security systems and introduce malicious links into organisations.

Security vendor Barracuda said in a threat report that it had recorded half a million examples of the technique, which adds a new dimension to previous phishing threats.

In the past attackers at times embedded QR codes in emails themselves, but placing them in PDFs makes them that much harder to detect, the firm said.

Recipients are typically told to scan the code with a mobile device to view a file, sign a document or listen to a voice message, Barracuda said.

QR-code phishing

“If they do so, they are brought to a phishing website designed to capture their login credentials,” the company stated.

Microsoft is the most-impersonated company in the recorded scams, including its SharePoint and OneDrive services, at 51 percent, followed by DocuSign at 31 percent and Adobe at 15 percent.

The report suggested stronger email security, multi-factor authentication and AI could be used along with employee education to help limit such scams.

Security products generally do not scan images in documents attached to emails for potentially harmful content, and doing so could slow down delivery of emails and increase the cost of systems, security firm Sophos said.

Lenders Santander, HSBC, and TSB, along with the UK National Cyber Security Centre (NCSC) and the US Federal Trade Commission have all warned of QR codes being used in sophisticated phishing attacks, the Financial Times reported.

IBM found phishing attacks in general are increasingly expensive to companies, with the aveerage cost of a data breach rising nearly 10 percent year-on-year to $4.9 million (£3.8m) in 2024.

Sticker scams

The scams have increased in prevalence with the massive rise in usage of QR codes since the Covid-19 pandemic, when they were used for contactless transfer of information ranging from check-in codes to restaurant menus.

McAfee said in May that more than one-fifth of all online scams in the UK probably originated from QR codes, with reports of QR code scams in the UK more than doubling in the year to August 2024, according to Action Fraud.

The US Federal Trade Commission and multiple local authorities across the UK have warned this year of scam QR codes being placed on stickers that cover legitimate codes used to pay for parking.

These scams can lead users to websites asking for financial details or downloading malware, in addition to leading to fines for failing to pay for parking.

Reports have similarly said such scam QR codes are in use at EV charging points, train stations and restaurant tables.