Kaspersky Warns of Surge in Phishing Emails Using Malicious QR Codes
Cybersecurity company Kaspeersky has reported a sharp rise in phishing emails containing malicious QR codes, highlighting a growing tactic used by cybercriminals to bypass traditional email security controls and target employees.
According to the company’s latest findings, detections of phishing emails with QR codes increased dramatically from 46,969 in August to 249,723 in November, a more than fivefold rise in just three months. The surge reflects a broader shift toward QR codes as a low-cost, highly effective way to conceal malicious links.
Attachments are increasingly embedding QR codes directly into email bodies or, more commonly, inside PDF attachments. This approach helps obscure phishing URLs from automated detection systems. It encourages recipients to scan codes on mobile phones, which often lack the same level of security as corporate desktops or laptops.
Malicious QR codes are now appearing in both large-scale phishing campaigns and more targeted attacks. Once scanned, the codes may direct victims to fake login pages designed to steal credentials for services such as Microsoft accounts or internal corporate systems. In other cases, the emails pose as HR notifications, urging employees to review documents related to leave schedules or staffing updates, ultimately leading to credential-harvesting websites.
Another common tactic involves fraudulent invoices or purchase confirmations delivered as PDF attachments. These campaigns are sometimes combined with vishing, prompting victims to call phone numbers included in the document to dispute a transaction, opening the door to further social engineering and financial fraud.
“These tactics exploit trust in routine business communications and can result in credential theft, account takeovers, data breaches, and financial losses,” said Roman Dedenok, Anti-Spam Expert at Kaspersky. He noted that the rapid growth observed in November shows how attackers are capitalising on QR codes to target users on mobile devices, where security controls are often weaker.
To mitigate the risk, Kaspersky advises organisations to strengthen email security with solutions that detect QR code-based threats, including advanced image analysis at the email gateway, alongside user awareness and safe scanning practices to reduce exposure to credential compromise and follow-on attacks.
