Cyber crooks are always on on the look out for new and effective ways to beat security systems and people to steal. There is a growing trend of criminals using QR codes as part of their phishing campaigns, specifically trying to steal Microsoft credentials.
They send out emails, with Microsoft branding that claims the recipient needs to setup or update MFA/2FA to protect their accounts, it includes a QR code that uses Bing and redirects (unfortunately marketing teams use some of the same processes), sending you to a location where your account can become compromised.
By using a QR code, you are more than likely going to use your phone, which is most likely to be a personal device, which won’t be protected by your IT or security team. This makes it more likely that the attack will succeed.
So, what should you do?
- Never trust anything in an unsolicited e-mail. Any message that claims there’s something up with your account should be suspect.
- Make your own way to the site and login, any messages/notifications should be apparent there. also if this is an MFA/2FA specific ruse, you should get prompted for 2FA at point of login so no need to worry. 😎
- If in doubt ask, check with a member of the technical team but do not forward on the email – as I’ve mentioned before we do not want to propagate potentially malicious links/files.
- Personally, I think QR codes should be burned at the stake (I did a demo of their evilness at business vision last year) but if we do need to use them:
- make sure you use your phones build in QR code reader – there’s a lot of malicious QR apps in the app stores.
- make sure you check the URL the QR code wants to take you to – this is tough in scenarios like this but still worth doing.
Russell Gower-Leech, Cybersecurity Manager
Being a Cybersecurity Manager, Russell doesn’t like us to share much information about him. All we can say is…. he wears a tin-foil hat, loves all things cybersecurity, actively hacked people at Business Vision Live and is a lovely chap.