QR Code Phishing: The Sneaky New Threat That’s Catching Users Off Guard
A new spear phishing campaign is making the rounds, and it’s catching even the most cautious users off guard. This one doesn’t rely on dodgy links or suspicious attachments. Instead, it uses a PDF with a QR code that tricks users into scanning it with their phones, bypassing traditional desktop defences.
How it works:
- The email appears to come from your HR or payroll team, referencing bonuses or benefits.
- It includes a PDF attachment (like the one below) with a QR code.
- When scanned, the QR code opens a fake Microsoft login page on your phone.
- On iPhones, the browser hides the full URL, making the page look legitimate.
- If you enter your credentials, they’re harvested by attackers.
Why it’s effective:
- It exploits trust in internal communications.
- It uses real, previously hacked email accounts to prevent filters catching it.
- It creates a fake message thread from other colleagues to make it seem authentic.
- It uses mobile devices to bypass desktop security tools.
- It leverages mobile browser behaviour to hide malicious URLs.
- It bypasses almost all forms of spam and phishing defence as there are no links or suspicious text for systems to pick up on.
Demo:
We’ve created a safe demo version of the phishing PDF. Scan the QR code below to see how convincing a fake login page can look (don’t worry—it’s hosted on our Why Settle Technology Web Hosting server and won’t collect any data).
What to do:
- Never scan QR codes from unexpected emails.
- Report suspicious messages to the Why Settle Technology (or your IT Team)
- Use mobile security tools that can detect phishing pages.
- Educate your team, especially those in HR, finance, and leadership roles.
Final thoughts:
This is one of the most convincing phishing tactics we’ve seen in a while. It’s a reminder that attackers are always evolving- and so must our defences.
