How attackers use QR codes and URL shorteners in email phishing

Email-based phishing attacks have plagued users for years, and cybercriminals keep finding new ways to lure unsuspecting victims. For example, phishing has evolved from mimicking legitimate websites or communications to trick users and businesses into providing passwords, credit card details, or other personal information into more sophisticated and personalized schemes, including spear-phishing and business email compromise (BEC).

Cyber criminals are now leveraging a wide array of advanced tactics like URL shorteners, AI-generated emails, embedded QR codes and even deepfake technology to further the credibility and successful execution rate of their attacks. Phishing campaigns often tend to target specific groups or organizations, fabricating an air of urgency or fear to manipulate victims into acting quickly and erratically.

Despite the considerable improvements in security measures, phishing remains one of the most prevalent and detrimental forms of cybercrime today, totaling 35.5% of social engineering attacks. The success rate of phishing attacks basically boils down to two things: firstly, their inherent adaptability and secondly, their ability to exploit human behavior.

In this article, we will examine two novel phishing tactics, namely, the use of QR codes and URL shorteners in phishing emails. Let's take a closer look at how these methods work and why they're popular among attackers.

The rise of QR code phishing

Remember when QR codes seemed like a novelty? Now, they're everywhere - from restaurant menus to public transit apps. However, this widespread adoption has created a new opportunity for cybercriminals.

QR code phishing, or "quishing," works by embedding malicious links in QR codes. When scanned, these codes direct victims to fake websites designed to steal login credentials or other sensitive information. The key to this method lies in its ability to bypass traditional email security measures and exploit our growing comfort with QR codes.

Our own research shows that around 1 in 20 mailboxes were targeted with QR code attacks in the last quarter of 2023. These attacks are particularly sneaky because they often force victims to use personal devices, which may lack the robust security measures found on corporate networks. By asking users to scan a QR code on their personal mobile devices the cyber criminals are removing users from secure work devices and the security systems in place to stop phishing attempts.

URL shorteners: A wolf in sheep's clothing

URL shorteners have become a common sight in our digital landscape. They're convenient for sharing long links on social media or in text messages but, they're also a favorite tool of cyber criminals.

Our research indicates that bit.ly was used in nearly 40% of social engineering attacks that included a shortened URL. The reason is simple: shortened URLs obscure the actual destination of the link, making it harder for potential victims to spot a scam.

The psychology of modern phishing

These novel tactics exploit our changing digital behaviors and expectations. We've become accustomed to scanning QR codes without a second thought and clicking on shortened links shared by colleagues or friends without checking the domain or expanded link. Cybercriminals are banking on this trust and familiarity to increase the success rate of their attacks.

Moreover, these methods often bypass traditional email filters. QR codes, for instance, are difficult to analyze using conventional email security tools. This gives attackers a higher chance of reaching their targets' inboxes.

Conclusion

Safeguarding businesses and individuals in a constantly changing threat landscape requires a comprehensive and meticulous approach to protection. Education and upskilling plays a critical role, with regular security awareness training that covers the latest phishing tactics, such as QR codes and URL shorteners. It’s essential to verify sources before trusting them, especially when dealing with QR codes and shortened URLs that appear unexpectedly.

Implementing robust email security is also vital, with AI-powered solutions that adapt to new threats beyond simply scanning for malicious links or attachments. Additionally, it's important to remain cautious of messages that create a false sense of urgency, as phishing attempts often exploit this tactic. Lastly, always check URL previews before clicking on links from QR codes to ensure their legitimacy.

As email threats continue to evolve, staying informed and vigilant is our best defense. By understanding the latest tactics and implementing strong security measures, we can better protect ourselves and our organizations from falling victim to these increasingly sophisticated phishing attempts.

By Pranay Manek, Systems Engineering Manager for Barracuda