rss.shrm.org | Roy Maurer
A workplace phishing campaign armed with malicious QR codes has been spreading for months, according to the cybersecurity firm that uncovered it.
The campaign, discovered by Cofense in May, spoofs Microsoft security alerts directing employees to update their account’s security settings. The QR codes and redirect links send users to a phony web page to steal their Microsoft credentials.
Cofense reported that the campaign targeted multiple industries, including a major unnamed U.S. energy company. The volume of the campaign has increased by more than 2,400 percent since May and is still ongoing.
Evidence suggests QR code phishing attacks have escalated since the COVID-19 pandemic.
“Following the pandemic and scanning QR codes at restaurants, people have become very comfortable with scanning QR codes, don’t think twice about it and don’t fully grasp the risk associated with a malicious QR code,” said Linn Freedman, a partner in the Providence, R.I., office of law firm Robinson and Cole and chair of the firm’s Data Privacy and Cybersecurity Team.
She added that “it is important to understand that just like malicious code embedded in a link or an attachment in an email or text—which we have been trained not to click on—a threat actor can embed malicious code into a QR code with the same results.”
QR codes in phishing emails are not typical. It’s awkward, said Stu Sjouwerman, CEO of KnowBe4, a security awareness training provider in Tampa, Fla. “Despite this lack of…
Click Here to Read more /Source link