Hackers use phishing methods to try to trick you into clicking bad links, installing malware or providing personal information. This week, Information Technology Services would like to focus on a specific phishing technique that has been seen more often recently: QR code phishing. 

Example QR code

Like the barcodes you might find on items in a store, QR codes are a quick and easy way to store and retrieve digital information. Unfortunately, this convenience also makes it easier for bad actors to sneak malicious content, such as fake webpages or even malware onto people’s devices. 

Some QR code scanners, not all, are capable of previewing content. This means scanning a QR code might lead to immediately opening its contents without knowing if it’s safe to do so. Additionally, email services don’t have the same protections against malicious QR codes that they have for links or attachments, so they can be more difficult to detect and block. 

If you see a QR code in an email, use the following tips to check if it’s safe to scan:

  • Check for signs of a phishing email: 
    • Do you recognize the sender’s name and email address? 
    • Does it look like other messages you’ve received from that sender? 
    • Is the message suspicious or alarming? 
    • Does the message prompt you to do something you wouldn’t normally do via email? 
  • Were you expecting this email? 
    • If so, were you expecting to see a QR code? 

You may also want to check if your devices preview QR codes before opening their contents. You can try using the example code in this article, which will open a Microsoft article about QR code scams, but if you want to be extra-safe, you can try creating your own and scanning the result. 

Of course, if you receive a suspicious message on your Metropolitan State University of Denver email account, you should always report it to ITS. Don’t forget that this method has changed!

 

Reminder: new phishing and junk email reporting

Users are now encouraged to report any phishing or junk messages using the built-in reporting functionality in Office 365. The exact method will vary depending on how you access your email: 

  • Outlook Web App (email.msudenver.edu): 
    • Right-click the offending email. 
    • Select “Report.” 
    • Select “Report phishing” or “Report junk” as appropriate. 
  • Outlook Mobile App 
    • Highlight the offending email. 
    • Tap the three dots at the upper right. 
    • Select “Report Junk.” 
    • Select “Phishing.” 

With this change, information on phishing attacks and campaigns will be collected faster, more efficiently and in greater technical detail, which will enable the University’s security team to better identify and respond to potential threats.  

Please note that reported messages will no longer be responded to, unless additional information or action is required from the reporting user. 

This is the final part of a series of articles for Cybersecurity Awareness Month. MSU Denver is proud to support the 20th year of this far-reaching online-safety awareness-and-education initiative, which is co-led by the National Cyber Security Alliance and the Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security. For more information about Cybersecurity Awareness Month and how to participate in a wide variety of activities, visit staysafeonline.org/cybersecurity-awareness-month/.