Your Spam Blocker Won’t Protect You from This New Email Scam—Here’s What to Know

Jaime Stathis

By Jaime Stathis

Updated: Jan. 31, 2024

Email with QR code on a fishing hook, QR code email phishing conceptRD.COM GETTY IMAGES (2)

Quishing scams are clever, but they're easy to avoid if you know what to do

Just as we become savvy to the latest online scams, con artists come up with another clever way to evade our email providers’ spam blockers. Phishing is one of the most common types of cyberfraud—where the ultimate goal is to steal your personal information or install spyware or ransomware on your device—and scammers are always looking for new ways to trick you.

Cybersecurity is the ultimate game of cat-and-mouse, which means it’s at least partially reactive,” says Monica Eaton, owner and founder of Chargebacks911. “Fraud threats are constantly evolving, and unfortunately, cybercriminals never stop seeking new and novel ways to defraud victims.”

But what’s new in the world of email scams? It’s called quishing—the latest iteration of phishing—and there are a few things you should know to stay safe.

Get Reader’s Digest’s Read Up newsletter for tech, humor, cleaning, travel and fun facts all week long.

What is this new email scam?

A new form of phishing, quishing is designed to bypass spam filters. To accomplish this, cybercriminals do not include words in the body of the email. Instead, they use a QR code. According to Paul Bischoff, a privacy advocate at Comparitech, quishing is a standard phishing scam in which recipients are tricked into navigating to a fake login page controlled by the attacker. “Instead of a link or attachment, however, it urges recipients to scan a QR code,” he says. If you receive a quishing email, you’ll open it and see what looks like a legitimate QR code, and there may also be words instructing you to scan the code.

There isn’t data on how many people have fallen for this email scam just yet, but security researchers at Inky, which specializes in phishing solutions, have identified 500 emails targeting various organizations in the United States and Australia.

Why can quishing evade spam blockers?

Example of a scam email with QR codeRD.COM

“The best way to understand how and why this scam is so successful is to take a step backward and consider the thought process that originally created your email’s anti-spam protection,” Eaton says. Spam filters are designed to read words, but scammers have gotten clever and embedded words into an image that contains both text and a fake QR code.

Since they are simply image files, QR codes do not trigger spam blockers, says Chris Hauk, a consumer privacy champion at Pixel Privacy.

Standard text analysis doesn’t work on images, and filters won’t detect the words embedded within the image. “Spam filters normally analyze text to determine whether a message is spam or not, such as scanning for common keyphrases used by scammers,” Bischoff explains, which is why this new email scam sneaks through even the sturdiest spam filters.

Who is at risk?

So far, quishing scams have focused on companies. These emails ask employees to click the link to update their information. But Hauk cautions that anyone with an email address can be targeted. “While phishing schemes targeting companies make the headlines, plenty of phishing schemes target regular users too,” and that includes the fake QR code scam.

What can happen if you fall for this scam?

“You may be tricked into paying money to the scammers,” Hauk says, adding that the QR code could install malware onto your device or computer. Bischoff warns that victims may also be tricked into handing over account usernames and passwords, which is why strong passwords and two-factor authentication are so crucial to helping you stay safe online.

Bischoff adds that bad actors sometimes pose as authority figures and try to get you to fork over money to pay a bogus bill or other fabricated fees. The goal is to make you act out of fear.

How can you identify and avoid a quishing scam?

Don’t click on QR codes in unsolicited emails. “While they are convenient to use, QR codes can contain all sorts of malicious surprises,” Hauk says, and the risk isn’t worth it. But what if you’re worried that the sender is legitimate and follow-up is required to avoid consequences? In that case, you should carefully look at the sender’s email address and ensure there isn’t an extra dot, dash or underscore, which may signify an imposter account.

Eaton says that people reason with themselves, thinking if the email wasn’t official, their email filter would’ve flagged it. But she points out that users can be lulled into a false sense of safety. “There’s a psychological aspect to this scam as well: QR codes look official,” she adds. “Most people don’t have the know-how or IT skills to make QR codes on their own, so it’s more plausible for them to assume that this fancy-looking code must’ve come from a reliable, official source.”

What should you do if you fall for this scam?

If you fall for this QR code email scam, take the same steps as you would for any scam. “Contact the authorities, keep an eye on your banking and credit card statements, monitor your credit and perhaps even put a freeze on new accounts,” Hauk says.

Other tips to avoid email scams

Eaton points out that cybercriminals are some of the most creative, out-of-the-box thinkers, and sometimes, it’s almost admirable how much ingenuity can go into their schemes. “But when you stop and consider the harm they’re doing to innocent, unsuspecting people, you feel less admiration and more concern: One bad actor with an ounce of creativity can trigger widespread havoc on an international basis,” Eaton says. Here are some other tips to avoid email scams.

  • Never scan unsolicited QR codes.
  • Never provide your personal information in response to an unsolicited request.
  • Never click a link or open an attachment in an unsolicited email or message.
  • At work, take your IT department’s cybersecurity training seriously.
  • IT departments should allocate resources to prevent future actions, not just based on employees’ past actions. “Yes, it’s always good to know what’s happened in the past, and someone’s previous behavior is often indicative of future actions,” Eaton says. “But if you’re only focusing on what’s already been done, you’re going to have a gaping blind spot in your cybersecurity: When a criminal tries a new tactic or a new scam, you won’t be ready. You won’t even see it coming until it’s too late.”

About the experts

  • Monica Eaton is the owner and founder of Chargebacks911, a company that helps consumers reverse charges to their debit or credit cards after fraud.
  • Paul Bischoff is a privacy advocate and an editor at Comparitech, a pro-consumer website that helps readers improve their cybersecurity and privacy online. He is a regular commentator on cybersecurity, privacy, encryption, fraud, censorship, tech and more in national and international media.
  • Chris Hauk is a consumer privacy champion at Pixel Privacy. He has more than 25 years of experience in the IT industry. Chris gives advice and creates easy-to-follow tutorials to help people protect their privacy and stay safe online, even if they have zero technical knowledge.

Source: 

  • INKY: “Fresh Phish: Malicious QR Codes Are Quickly Retrieving Employee Credentials”
Four featured Mobile Apps For Security And Privacyvia merchant (4)

The Best Apps for Security

google logo in a location marker with a dark blue circuit illustration as the backgroundRD.com, Getty Images (2)

What Does Google Know About You?

venmo logo with alert icon over dollar signs backgroundrd.com, Getty Images

The Most Common Money Scams

Originally Published: October 27, 2023

Author
Jaime Stathis
Jaime writes about technology, cybersecurity, careers, retirement, travel and everything related to being a human being on a constantly evolving planet. Jaime is insatiably curious and still trying to figure out if she prefers the mountains or the ocean—and realizes this might be a lifelong puzzle to solve.
Read More
Jaime Stathis