Skip to content

Staying Alert: QR Code-based Phishing

The phishing message captured in the images below was recently sent to many Duke email addresses. The IT Security Office would like to highlight what these QR code-based phishing attacks look like, as well as how good our attackers are becoming at utilizing things like branding to their advantage.

In the first image you can see the original email message, pretending to be from Duke payroll and containing a PDF file as an attachment. In the second image you can see the contents of that PDF file, which included a QR code linking to a phishing form asking for NetID credentials.

This attack highlights why the ITSO are urging caution against the use of QR codes in digital spaces. Attackers are leveraging these barcodes as a way to work around any blocking/visibility that security teams may have.

QR codes make sense in the physical world where links are unwieldy, but in digital formats it's better to use a link. We would strongly encourage everyone to avoid scanning QR codes that arrive in your inbox, your text messages, etc.


A phishing email with a PDF attachment containing a QR code.
A PDF file used for phishing via a QR code.