H-ISAC TLP White: Observed Increase in QR Code Phishing Attacks September 19, 2023

A recent uptick in threat actors delivering phishing emails laced with malicious QR codes has beenobserved. Quishing, also known as QR code phishing, involves sending a seemingly time sensitive emailcontaining lures to trick the recipient into taking action and scanning an innocuous QR code. Once therecipient scans the unsolicited QR code, they are taken to a malicious website used to either downloadmalware to the user’s device or steal sensitive information.

The use of QR codes to augment malicious operations has increasingly become a common tool abusedin phishing campaigns. According to security researchers, targeted attacks against fi rms in energy,manufacturing, insurance, technology, and fi nancial services have been observed. These observationsrepresent the fi rst time that QR codes have been used in this magnitude, indicating threat actors are likelytesting their effectiveness as an attack vector.

The identifi ed malicious behavior further substantiates recent Health-ISAC member observations ofsimilar attacks targeting their organization's personnel. Health-ISAC is distributing this communication tohelp raise awareness of the ongoing use of malicious QR codes leveraged in phishing campaigns andencourage organizations to assess their level of risk against this threat.