Phishing scams use QR codes in PDFs to bypass defences

Barracuda's threat intelligence team has identified a new phishing tactic involving QR codes embedded in PDF attachments, resulting in the detection of over half a million such phishing emails in the last three months.

This method, known as QR code phishing or "quishing," manipulates recipients into scanning QR codes with their mobile phones. These codes lead to malicious websites that attempt to acquire sensitive information such as login credentials or financial data. This represents a strategic shift from previous phishing techniques, which usually included QR codes directly in the email content.

According to Barracuda researchers, these PDF documents, attached to phishing emails, exploit brand impersonation and urgency to lure individuals into interaction. The shift from embedding QR codes in the body of the email to including them within PDF attachments marks a significant change in how these scams are conducted.

During the analysis period from mid-June to mid-September, Barracuda researchers examined over half a million emails containing these QR codes. Their findings revealed that many of these phishing emails mimic well-known brands. Microsoft, along with its services like SharePoint and OneDrive, was impersonated in 51% of the attacks, followed by DocuSign at 31% and Adobe at 15%. In fewer cases, scammers pretended to represent the human resources department of the targeted company.

Typically, these phishing attempts involve a simple one or two-page PDF that includes a QR code and lacks further external links or embedded files. The email directs users to scan the QR code to access a file, sign a document, or listen to a voice message. However, scanning the code redirects victims to a phishing site aiming to capture login details.

Quishing presents specific challenges for traditional email security systems. The absence of direct links or suspicious attachments means email filters often fail to detect such attacks. Moreover, these schemes frequently involve users switching between devices, which can undermine corporate security measures. Industries such as finance, healthcare, and education, due to the sensitive data they manage, are particularly susceptible to these attacks. Small-to-medium businesses (SMBs), which may lack comprehensive security tools, are also vulnerable.

Adam Khan, Vice President Global Security Operations at Barracuda, stated, "Cybercriminals are constantly refining their phishing techniques to make attacks appear more legitimate and convincing to the unsuspecting victim, with the use of QR codes in PDF documents being one of many tactics we're closely tracking. These attacks can easily evade traditional email filters, making them difficult to detect."

He further emphasized, "Organisations must adopt multilayered email security with advanced AI that analyses not just links and attachments, but also potential impersonation attempts within attachments. Educating users about the risks of scanning QR codes from unknown or questionable sources is essential. Additionally, ensuring that spam and malware filters are properly configured, conducting regular health checks on email gateway settings, and enabling multi-factor authentication will significantly enhance overall protection."