Beware! QR code phishing scam can let hackers steal your data via fake emails: Here’s how you can stay safe

Cybersecurity experts at Microsoft have recently raised concerns over the fast-growing scam where hackers are using QR codes inside emails to steal user data. The experts warned that the attackers are sending fake emails, PDFs and even CAPTCHA pages to trick people into revealing login details. The emails you’ll receive will look professional and will likely create urgency by mentioning compliance issues or account problems. Once you scan the QR code, you’re redirected to a fake login page that secretly captures your credentials. The scam has already affected thousands of users across multiple organisations worldwide, and the cases are still growing. Here’s everything you should know about the QR code scam and how to stay safe.

QR code phishing attack

QR code phishing is becoming one of the most used tricks by cybercriminals. Instead of clicking suspicious links, users are now asked to scan QR codes that look harmless. These codes are often hidden inside emails that appear to come from HR, IT support or management teams.

Once scanned, the QR code leads users through multiple pages that finally end on a fake login screen. These pages are designed to steal usernames, passwords and even session tokens. In some cases, attackers can access accounts even when two-step verification is active.

Microsoft researchers have warned that more than 35,000 users across 13,000 organisations have already been targeted. The scam works because it creates fear and urgency, pushing users to act quickly without checking the source properly.

Also read: Your Instagram DMs are not private anymore as Meta removes end to end encryption

How Digit detected a QR code scam email

A few days back, we at Digit faced a similar attack where someone created a fake email address (O365.Admin@tinesgroup.com) and sent emails to employees claiming there were 5 undelivered emails from their manager. The message looked professional and convincing, making it hard to ignore at first glance.

What made it more interesting was a QR code inside the email asking users to scan it to check pending messages. While it was clear that the email was sent from outside the organisation, we still decided to investigate carefully.

Using a device that had recently been erased, we scanned the QR code to see what it led to. Even after scanning multiple QR codes, nothing useful appeared. Most codes did not work at all. We also checked the device repeatedly to ensure no app was installed in the background or any setting was changed.

We tested the QR codes on both Android and iOS devices and still found nothing harmful in this case. However, this experiment showed how risky such emails can be. Never scan QR codes that come from unknown emails. This becomes even more necessary when using a mobile device that contains personal information such as photographs, banking applications, or private documents. There is a risk of scammers using counterfeit QR codes to take advantage of you.

Also read: Why AC gas leaks happen and how you can avoid them

How to protect yourself against scams using QR codes

Here are some of the things you need to keep in mind to stay safe against the QR code scams:

• Make sure that you don’t scan any QR codes in an email or a message that comes from an unknown source.
• Verify the sender’s identity twice before you plan to scan a QR code or take any further actions like logging in to your account.
• Avoid the emails that apply pressure or look too desperate to get your attention on a matter.
• Update your device regularly and make sure that the security settings on the device are active.

What to do in case you scanned a suspicious QR code

If you suspect you scanned an invalid QR code, make sure to:

• Disconnect from the internet on your device immediately, as most of the time these scams rely on the internet.
• Reset the password of the account you tried logging in to immediately, followed by a password change on all the sensitive accounts.
• Enable two-factor or two-step verification right away so as to avoid unauthorised access.
• Make sure you look out for any suspicious activities in your social media or financial accounts.
• You can also consider a factory reset of your phone because there might be some installed apps in the backend.