September 22, 2023

Beware of the latest phishing attack tactic: QR codes

Phishing continues to be one of the most used methods by attackers to gain unauthorized access to an organization’s network. An emerging trend in phishing attacks is the use of QR codes instead of direct links or attachments in phishing emails.

Recent examples include fake emails asking the user to re-authenticate two-factor authentication by using a QR code, or open a shared a secured file.

If you receive an unsolicited email with a QR code, do not scan the code or go to any links associated with the email. Your first step is to immediately report it to for review.

Things to keep an eye out for:

  • The sender of the email looks “off”. It’s important to first consider if the sender is expected. A sender can be unknown or sometimes “spoofed” to look like a known contact, or even appear to be from the recipient. This tactic will often have indicating factors that it’s a scam. Some can be identified by thorough examination and comparison to the format of the sender field to other legitimate organization emails.
  • The subject and body of the email have grammatical errors or provides links. The first question to ask is if the subject and the body appear to be something expected. These both will often contain grammatical errors and the body will either ask a user to click a link, scan a QR code, open an attachment, or reply to the email or another email address regarding purchasing something, providing money or gift cards, giving personal information, or receiving giveaway items.
  • The link in an email is asking you to take action. If a link is provided in the email, it will often ask the user to urgently reset a password, view or download documents, or request the user to login to learn more about what’s being described in the body of the email.
  • The attachment looks suspicious. If provided, attachments will often be made to look like it relates to the subject and body of the email. It may look like a web browser file, a zip file with a password provided in the body of the email, a fax message, a receipt, or even a voicemail file, such as .HTM or .HTML file extensions.
  • The email is already in quarantine. While security measures can make mistakes and identify legitimate emails as phishing, many times that is not the case. Please think twice before releasing an email from a quarantine mailbox.

If an email seems off or suspicious, workforce members should consult a fellow staff member or manager. Then call the Help Desk at 615-343-HELP (3-4357) or send the email to the VUMC IT Security Operations Incident Response team at