Be on the lookout for a dangerous email phishing scam involving QR codes.
The New Jersey Cybersecurity & Communications Integration Cell recently issued a warning about a QR code scam that’s landing in inboxes of NJ businesses.
In 2022, the FBI issued a Public Service Announcement with tips to protect against QR code scams. This tactic is being used effectively today.
Here’s How It Works
The email appears legitimate as phishing scams often do. This is why they’re so effective at stealing information like passwords and getting access to banking information.
This phishing email appears to be a typical email but includes a QR code either in the body of the email or in an email attachment. And there’s more…
According to the recent NJ alert, those who received the QR code phishing scam reported that they looked like real emails from their IT department requesting to click the QR code to run necessary updates or maintenance for 2FA (two-factor authentication).
What Happens After You Click The QR Code
- You could land on what appears to be a legitimate web site where your login credentials could be stolen. Then, the hacker gains access to your system or accounts.
- It could trigger a download of a dangerous application like malware, providing the hacker with access to confidential company information.
- Your now stolen password may be attempted on sites where you may have an account. Since many people use the same passwords for different logins (a major no-no but we know it happens), the hacker may try to get access to as many accounts as possible. The more the merrier as far as hackers are concerned.
- Money may be stolen from accounts where they gain access.
- Your personal or business information may be sold on the dark web (where the hackers make their deals).
- Stolen information is often published to a public web site for all to see before the hacker requests a ransom.
- Files may become encrypted and no longer accessible. This can stop business in its tracks. How much work could you get done if you couldn’t access your files?
The Red Flags To Look For In A Phishing Scam
- Ask yourself, were you expecting this email?
- Is it from someone you know or work with?
- If you hover over the email, is the email address the one you recognize and known to be real or is it questionable?
- Are there any misspellings in the email?
- Are you addressed by name as you typically are or is the greeting unusual?
What To Do If You Get A Suspicious Email
- Contact the sender in person if they’re within your organization.
- If the sender isn’t from within your organization, confirm by calling using the number you already have, not the phone number listed in the email. Use the company’s actual web site if you need to look it up.
- Don’t click any links in the email.
- Don’t open any attachments.
- Never reply to the email.
What To Do If You Click And It’s a Phishing Scam
- Contact your IT department immediately.
- Don’t let your fear get in the way of good decisions.
How To Stop The Spread of A Phishing Scam
With cyber threats on the rise, sharing this scam alert will help protect colleagues, friends and vendors.
An email or text phishing scam, known as SMiShing, is a hugely successful strategy hackers use. The best defense against accidentally turning over the company’s keys to the kingdom is to enroll in ongoing security awareness training.
Security awareness training is critical and can be the most effective tool to implement. If a phishing email gets past all of the security filters, the action taken by the email recipient can prevent or trigger serious problems within an organization. Done right, security awareness training is continual. Annual training isn’t enough. Hacking trends and tactics change regularly and the messages look more and more authentic. Training should include samples of scams along with the red flags to look for. Training should include quizzes to test knowledge levels. Simulated phishing emails should be sent regularly to test for weak spots and guide future training.
QR Code email scams are a sneaky way to disrupt business and add unnecessary costs. By looking for the signs, regularly training your entire organization and reporting phishing scams quickly, you’re helping to keep your information and your company’s safe.
For the full post from the NJ Cybersecurity & Communications Integration Cell and the FBI’s announcement, click the links below.
Warning from NJCCIC – New Jersey Cybersecurity & Communications Integration Cell
FBI’s PSA – “Cybercriminals Tampering with QR Codes to Steal Victims Funds”