Kaspersky has detected a sharp increase in phishing emails containing malicious QR codes, rising from 46,969 incidents in August to 249,723 in November. This more than fivefold surge demonstrates how cybercriminals exploit QR codes as a cost-effective method to hide malicious URLs and evade traditional security solutions.
How Attackers Use QR Codes in Phishing
Attackers embed QR codes directly in email bodies or, more frequently, within PDF attachments. This technique masks phishing links and encourages users to scan the codes on mobile devices, which often have weaker security than corporate computers.
Common Malicious QR Code Scenarios
Malicious QR codes appear in both mass phishing campaigns and targeted attacks. Common examples include:
-
Phishing forms mimicking login pages for Microsoft accounts or internal portals to steal credentials.
-
Fake HR notifications prompting employees to review or sign documents, such as vacation schedules or termination lists.
-
Fraudulent invoices or purchase confirmations, sometimes combined with vishing tactics to extract additional sensitive information.
Risks to Organizations
These phishing campaigns exploit employees’ trust in routine business communications, potentially leading to credential theft, account takeovers, data breaches, and financial fraud.
Expert Commentary
“Malicious QR codes have become one of the most effective phishing tools, especially when hidden in PDFs or disguised as legitimate business updates. The November surge shows attackers are exploiting minimal mobile protections. Without advanced image analysis and safe scanning practices, organizations face severe risks,” explains Roman Dedenok, Anti-Spam Expert at Kaspersky.
Recommended Defensive Measures
To combat this growing threat, Kaspersky advises organizations to implement robust email security solutions such as Kaspersky Security for Mail Server. Such tools safeguard corporate email exchanges and protect against spam, phishing, QR code attacks, business email compromise (BEC), and other email-borne threats.
This approach strengthens organizational defenses against increasingly sophisticated phishing campaigns exploiting mobile vulnerabilities and QR code technology.