{"id":23897,"date":"2025-03-10T18:39:15","date_gmt":"2025-03-10T14:39:15","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/qr-phishing-protection-technology\/23897\/"},"modified":"2025-03-10T18:39:19","modified_gmt":"2025-03-10T14:39:19","slug":"qr-phishing-protection-technology","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/qr-phishing-protection-technology\/23897\/","title":{"rendered":"Checking QR codes in emails"},"content":{"rendered":"

In an attempt to bypass security solutions, attackers are increasingly hiding<\/a> phishing and other malicious links inside QR codes. It\u2019s for this reason that we\u2019ve added a technology to Kaspersky Secure Mail Gateway<\/a> that reads QR codes (including ones hidden inside PDF files), extracts links and checks them before they land in an employee\u2019s inbox. We explain how it works.<\/p>\n

\"Example<\/a>

Example of a phishing QR code inside a PDF file<\/p><\/div>\n

Why do attackers use QR codes?<\/h2>\n

\nEver since even basic security tools learned to check phishing links effectively enough, attackers have been inventing ways to hide them from scanners. The most commonly employed trick is to post links on third-party services; that way, victims don\u2019t receive an email directly from the attackers, but a notification from some legitimate site where a document with a malicious link is already placed. While such ploys work well on home users, with company employees the success rate is far lower. That\u2019s because any self-respecting organization these days has equipped all its work computers with security software<\/a> that catches redirects to phishing sites.<\/p>\n

Therefore, attackers have turned their attention to QR codes. First, this technology obligingly transforms regular URLs into something incomprehensible to standard systems that check links for malicious intent. Second, QR codes are common enough for people to scan them without a second thought. And third and most important, people overwhelmingly scan QR codes with a phone or tablet that may not have a security solution with anti-phishing technology \u2013 especially if it\u2019s a personal, not work, device.<\/p>\n

Plus, in this case, less suspicion is raised by the prompt to enter work credentials, which are what the attackers basically want. On a computer, the user is likely to be signed in already, but accessing work systems from a personal device requires additional authentication, right?<\/p>\n

\"The<\/a>

The goal of most phishing schemes is to extract work credentials<\/p><\/div>\n

Why are QR codes most often hidden in PDF files?<\/h2>\n

\nSure, a QR code can also be sent in the body of an email. But hardly anyone will follow a QR code without a few words explaining why they should, and this text can be analyzed and flagged as phishing. Besides, an image has certain characteristics\u00a0\u2013 at least its dimensions\u00a0\u2013 by which it can be identified.<\/p>\n

\"Phishing<\/a><\/p>\n

A PDF file, on the other hand, is a kind of black box. The format is proprietary\u00a0\u2013 you can\u2019t peek inside without special tools. In addition, the cover email can contain minimal text, something like: \u201cImportant! All information in the PDF\u201d<\/p>\n

\"Phishing<\/a>

Phishing email with a PDF file and minimal accompanying information<\/p><\/div>\n

How does our technology work?<\/h2>\n

\nOf course, a QR code in an email isn\u2019t always a sign of phishing. For example, mobile application developers often furnish their PDF documents and mailings with direct links to app stores. In general, it\u2019s a quick and easy way to send a link to a phone. That\u2019s why we can\u2019t mark each email with a QR-code as a suspicious. So our developers created a tool to extract URLs from QR codes for additional checking by anti-phishing modules and anti-spam heuristics.<\/p>\n

Not only can the technology extract URLs from QR codes in images, but also check PDF files \u2013 extracting all links from all QR codes found inside them. If a link is recognized as phishing, the email is also flagged as phishing and processed in accordance with the Kaspersky Secure Mail Gateway<\/a> settings. So the end user never even sees the dangerous QR code. The best outcome!<\/p>\n\n","protected":false},"excerpt":{"rendered":"

We\u2019ve added technology that checks QR codes in emails for phishing links. <\/p>\n","protected":false},"author":2598,"featured_media":23899,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,7,1917,1226],"tags":[19,390,76,1220,321],"class_list":{"0":"post-23897","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-products","10":"category-smb","11":"category-technology","12":"tag-email","13":"tag-pdf","14":"tag-phishing","15":"tag-qr-codes","16":"tag-technology"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/qr-phishing-protection-technology\/23897\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/qr-phishing-protection-technology\/28658\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/qr-phishing-protection-technology\/28775\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/qr-phishing-protection-technology\/39165\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/qr-phishing-protection-technology\/53146\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/qr-phishing-protection-technology\/28878\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/qr-phishing-protection-technology\/34724\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/qr-phishing-protection-technology\/34352\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/phishing\/","name":"phishing"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23897","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=23897"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23897\/revisions"}],"predecessor-version":[{"id":23898,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23897\/revisions\/23898"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/23899"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=23897"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=23897"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=23897"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}