A major energy company was actively targeted last month in a phishing campaign. This isn’t newsworthy in and of itself (unfortunately): Energy companies and utilities are frequent targets for cybercriminals and over 3.4 billion emails are estimated to be sent daily. What does stand out, however is that these phishing emails used QR codes to bypass the defenses of the company.

What are QR codes?

We’ve written about these (and the danger they present) previously, but QR codes are the square icons that can be scanned by cameras, typically on mobile devices, to lead to a URL or file online. 

QR codes were originally developed for warehouses to quickly identify packages and freight, but became more widespread with the advent of mobile phones and became commonplace during the Covid-19 pandemic, when physical contact with objects such as menus were regarded as potential vectors for exposure.

How were they used in a phishing campaign?

What makes QR convenient also makes them a liability for organizations; namely, you can’t tell whether or not they’re malicious just by looking at them. While most modern camera-enabled phones will show a preview of the destination of a QR code, the hackers behind this phishing campaign came up with a novel way to bypass this; they used familiar internet services like Bing, Salesforce and Cloudflare to redirect from their URLs to encrypted pages designed to capture credentials. (see below.)

The phishing emails sent these redirected QR codes in email messages saying that the recipients had to verify their Microsoft accounts within a short time period.

What’s the takeaway?

Businesses and organizations need to be aware that even the most sophisticated firewalls and security filters for emails can still be bypassed by novel tactics, including embedded and redirecting QR codes. The primary defense against this is training employees to recognize the potential risks posed by malicious images, attachments and links and to practice extra caution when interacting with incoming email messages.

Wondering if your company is protected against cyberthreats? Need to educate your employees about best security practices? Nodal can help! Contact us today.