The use of QR codes has increased since the COVID-19 pandemic, appearing everywhere from stores and restaurants to transit stations and events. They are even used online or sent through email to help users download applications or log into platforms.

While a convenient way to share information like URLs, contact details or payment instructions, QR codes can also be exploited by cybercriminals to steal personal data or take control of a user’s device.

Users who scan a phishing QR code may be directed to a malicious website, such as a fake login page that collects user information, or have malware downloaded onto their device.

Brock’s Information Technology Services (ITS) team advises users to be cautious when scanning QR codes and to look out for the following phishing warning signs:

• Phishing messages sometimes contain urgent or threatening language, such as losing access to an account, to pressure users into responding.
• Messages requesting sensitive information over email or text, such as a message to update account or banking information, can rarely be trusted and should be reviewed carefully for links to fake or malicious websites.
• If a message seems too good to be true, such as unexpected job offers or contest winnings, are often signs of phishing.
• Unexpected messages, such as shipping updates or receipts for items the recipient didn’t purchase, are often signs of phishing.
• Messages with incorrect information, such as the sender’s display name and email address or links that don’t lead to official websites, or spelling and grammatical errors can be signs of phishing.
• Phishing messages often contain unrequested or suspicious attachments, such those with odd file names or uncommon file types.
• Unprofessional design, such as incorrect or poor-quality logos, can be signs of phishing. Users should keep in mind, however, that phishing messages sometimes fraudulently include an organization’s logo and other branding images to appear legitimate.

Question about phishing or suspicious emails can be sent to ITS at itsecurity@brocku.ca, where all members of the IT Security team will be able to investigate and respond.