From accessing a menu at a restaurant to paying for parking or boarding a flight — QR codes are everywhere.

Unfortunately, threat actors have found ways to exploit QR codes, often embedding them in phishing emails. Coalition Incident Response (CIR), an affiliate of Coalition, Inc., has seen a recent increase in cyber insurance claims involving QR codes.

Like any other technology, QR codes aren’t inherently risky, but users should consider a few things before scanning one. 

How do QR codes work, and how can they be exploited?

Users scan QR codes with their smartphone cameras to decipher the information stored in a QR code’s black and white squares. As easy as they are to use, QR codes are also easy to create. Websites are available to generate free QR codes that redirect users to visit a website, download a PDF, connect to WiFi, and more. 

Cybercriminals are increasingly pairing QR codes with phishing emails that redirect users to a malicious link to harvest their credentials or deploy malware. Because QR codes are scanned using smartphones, they bypass security controls like endpoint detection and response (EDR). QR codes also bypass URL scanning performed by email providers.

Using QR codes with phishing emails to increase plausibility

Most users are familiar with poorly written phishing emails that trick them into taking urgent action. Threat actors have adapted and are sending emails that look authentic while still applying pressure on the reader to act quickly. CIR has observed threat actors who impersonate HR or payroll departments and email QR codes to employees that allegedly link to benefits or payment documents. 

Most often, phishing attacks that use QR codes lead to funds transfer fraud (FTF) events in which threat actors gain access to an email inbox and redirect payments into accounts they control. However, phishing with QR codes can sometimes provide threat actors with elevated access to a company’s network, allowing them to disrupt business operations. 

Case study: QR code phishing leads to attempted ransom

An employee at a healthcare provider seemingly received an email from HR with a QR code to access their health benefits information.* The employee scanned the QR code with their personal phone and logged into the website.

Both the email and the QR code were malicious. The threat actor now had the login information for the healthcare provider’s global administrator, a user with elevated access and permissions within the network. The threat actor logged into the admin’s account and took control of the company’s Azure instance, changing passwords and deleting accounts to prevent employees from logging in and removing them. Once they had complete control of the company infrastructure, the threat actor attempted to ransom the company for $20,000.

The healthcare provider selected CIR via our incident response firm panel to help recover the email tenant, remove the threat actor, and perform an investigation. Ultimately, the policyholder did not pay a ransom, but they did have to work directly with Microsoft to regain control of their Azure instance. 

In totality, the business remained offline for roughly a week. CIR could only complete a forensic investigation to confirm the threat actor was no longer present after the business regained access to its Azure instance. It's uncommon for any business experiencing a business email compromise (BEC) incident to remain offline and locked out of their account for an extended period.

The claim for this incident is still ongoing, and Coalition continues to work with the policyholder to determine all financial losses. Thus far, the breach counsel and CIR's costs will be covered by their Breach Response coverage.

What do users need to look out for?

Before users scan any QR code, they should pause to evaluate its legitimacy:

• Exert caution with QR codes sent over text or email. Successful phishing attacks rely on users taking immediate action. Users should always verify the legitimacy of emails and text messages that require them to log in.

• Avoid entering credentials on mobile devices. Computers are often protected with security controls, like EDR or multi-factor authentication (MFA). Users should avoid entering company credentials on their personal smartphones. Credentials are usually only required once to log into mobile applications, making these requests even more suspicious. 

• If a QR code opens a link, examine the URL. Both Android and iOS will display a portion of the URL that QR codes open. Users should closely examine the URL for any inconsistencies that may point to a phishing attack. For example, if users receive a QR code from HR but the URL redirects through another website (Bing, Facebook, etc.), that indicates the QR code may be malicious.

Companies can take additional preventive measures by training their users to look out for phishing emails and fraudulent QR codes. The goal is for employees to ask themselves, "Why would HR need to send me this?" and report the suspicious email.

Businesses looking to enhance their security posture can sign up for around-the-clock monitoring with Coalition Security Services Managed Detection and Response (MDR) provided by CIR. CIR regularly deploys endpoint detection tools during cases to monitor networks during the restoration process. MDR is designed as a preventative and restorative security solution that can help protect businesses from persistent cyber threats.

Learn more about MDR from Coalition Security Services.

*The claim scenarios described here are intended to show the types of situations that may result in claims. These scenarios should not be compared to any other claim. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law.

Insurance products referenced herein are offered by Coalition Insurance Solutions, Inc. (“CIS”), a licensed insurance producer with its principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance companies. A list of our admitted carriers is available here. Complete license information for CIS is available here. Insurance products offered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication does not in any way alter, supplement, or amend the terms and conditions of the applicable insurance policy and is intended only as a brief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.