Quick-response codes, better known as QR codes, can be used by hackers to trick users into using vulnerable websites, downloading malware, or providing personal information. While VUMC Enterprise Cybersecurity continues to protect both patients and employees, employees need to help by identifying day-to-day suspicious activities.
As a rule of thumb, the only QR codes VUMC employees should scan are the ones found on various technology products, such as desktops, printers, and other hardware. These QR codes are used to help an employee submit a Pegasus ticket in 10 seconds or less. Read more about these codes here.
What is QR Code Phishing
QR code phishing, or “quishing”, is when an unsafe or vulnerable link is in the QR code. Many of these codes can be found in a phishing email. If a user scans the code, they are at risk of accidentally downloading a virus or exposing their personal information.
What to Look Out For
VUMC employees may receive phishing emails without being aware of what it is. Let’s look at some of the things users should look for in a suspicious email.
- QR Codes – If you receive an unsolicited email with a QR code, do not scan the code or go to any links associated with the email. Your first step is to immediately report it to phishing@vumc.org for review.
- Attachments – Look for attachments with suspicious or unfamiliar names or misspellings. If an attachment seems suspicious, verify its legitimacy with the sender through a different communication channel before opening it. If you do open an attachment, make sure you do not scan any QR codes imbedded into the document. It’s important to always be cautious when opening attachments, especially if they are unexpected or from unknown sources. Remember, it’s better to be safe than sorry!
- Sense of Urgency – Another strategy used in phishing emails is creating a sense of urgency. If a suspicious email has an immediate deadline or is marked urgent, verify the information with a manager or leader before taking any action.
- Sender Display Name – Sender display names can be manipulated to look like a trusted source while being a disguise for a suspicious email address. A sender display name is the name that appears in the “from” line of an email. For example, below is a screenshot with the sender display name as Vanderbilt Health. While this email looks like it was sent from Vanderbilt Health, if you hover over the sender display name, you can see the email address does not match.

How to Protect Yourself
- Approach all QR codes with some level of skepticism. Does it look suspicious? Does the situation warrant a QR code? Have you verified its legitimacy with relevant parties?
- Verify the link in the QR code before clicking on it if you must scan it.
- Utilize a QR code scanner that has security features built in.
- Be wary of attachments in an email. If it looks suspicious or has misspellings, don’t open it and do not act on the instructions.
- Slow down and verify the legitimacy before responding or acting on an urgent email.
- Always double check the email address attached to the sender display name.
- When in doubt, always verify with VUMC Enterprise Cybersecurity. Call the Help Desk at 615-343-HELP (3-4357) or forward it to phishing@vumc.org so they can investigate and confirm its legitimacy.
Stay vigilant and remember, never approach things on autopilot. Take the extra minute or two to confirm before proceeding. If you have received a suspicious email or QR code, reach out to the Phishing team at phishing@vumc.org.