of users receiving emails seemingly from large internet companies (for example, Microsoft or its cloud service Office 365) containing QR codes. The body of these emails have a call to action: in a nutshell, scan the QR code to maintain access to your account. This post examines whether it’s worth reacting to such messages.
Scan the QR code, or face the inevitable
A typical email of this kind contains a notification saying your account password is about to expire, after which you’ll lose access to your mailbox, and so the password must be changed for which you need to scan the QR code in the email and follow the instructions.
Another email could warn the recipient that their “authenticator session has expired today”. To avoid this, the user is advised to “quickly scan the QR Code below with your smartphone to re-authenticate your password security”. Otherwise access to the mailbox could be lost.
A further example: the message kindly informs the reader: “This email is from a trusted source” — we’ve already talked about why emails stamped “verified” should be treated with caution. The thrust of the message is that “3 important emails” supposedly cannot be delivered to the user due to lack of some kind of validation. Of course, scanning the QR code below will “fix” the issue.
Clearly, the authors of these emails want to intimidate inexperienced users with high-sounding words.
They’re also likely hoping that the recipient has heard something about authenticator apps — which do indeed use QR codes — so that their mere mention may stir some vague associations in their mind.
What happens if you scan the QR code in the email
The link in the QR code takes you to a rather convincing replica of a Microsoft login page.
Of course, all credentials entered on such phishing pages end up in cybercriminal hands. And this jeopardizes the accounts of users who fall for such tricks.
An interesting detail is that some phishing links in QR codes lead to IPFS resources. IPFS (InterPlanetary File System) is a communication protocol for sharing files that has much in common with torrents. It allows you to publish any files on the internet without domain registration, hosting, or other complications.
In other words, the phishing page is located directly on the phisher’s computer and is accessible via a link through a special IPFS gateway. Phishers use the IPFS protocol because it’s much easier publish and much harder to remove a phishing page than blocking a “regular” malicious website. As such, the links live longer.
How to guard against phishing QR codes
No decent authentication system will suggest scanning a QR code as your only option. Therefore, if you receive an email asking you to, say, confirm something, or sign in to your account again, or reset your password, or perform some similar action, and this email only contains a QR code, you’re probably dealing with phishing. You can safely ignore and delete such an email.
And for those times when you need to scan a QR code of an unknown source, we recommend our security solution with its secure QR code scanner function. It will check the contents of QR codes and warn you if there’s anything bogus inside.