Cybercriminals are hiding QR codes in PDF attachments as a way to sneak past security filters and gather sensitive information, according to a recent report by cybersecurity solutions provider Barracuda.
This scheme, known as “quishing,” has become a concerning development for cybersecurity teams trying to protect users from phishing attacks.
Over a three-month period between June and September, Barracuda’s research team detected approximately half a million phishing emails that utilized QR codes in PDFs. Unlike traditional phishing emails that include direct links, these messages rely on recipients scanning a QR code with their mobile phones, making detection challenging.
“Traditional email threat scanners can miss phishing content and malicious payloads if they are embedded within PDFs,” said Kyle Blanker, manager of software engineering at Barracuda. “This makes QR codes an attractive method for attackers to bypass detection.”
Typically, attackers use well-known brands, such as Microsoft and DocuSign, in their fake emails to convince recipients to scan the QR code. When scanned, the code leads victims to phishing websites where criminals attempt to capture login credentials or financial data. In these cases, attackers exploit brand impersonation to gain the victim’s trust, Barracuda noted, with Microsoft brands impersonated in 51% of attacks.
“These attacks can easily evade traditional email filters, making them difficult to detect,” said Adam Khan, Barracuda’s VP of Global Security Operations. “Organizations must adopt multilayered security with advanced AI that examines not only links and attachments but also potential impersonation within attachments.”
Educating users on the risks of scanning QR codes from unknown sources and enabling multi-factor authentication are essential measures, Barracuda added, to defend against evolving phishing techniques.