Fake QR Codes Can Steal Your Credentials

3 November 2021

Fake QR codes

QR Codes are the simple way of setting up and configuring your 2-Factor Authentication, unfortunately whilst the simplicity of setting it up is great, it does mean that it can also be easy to manipulate for the benefit of hackers.

Recently, we have seem an increase into the number of phishing scams that are coming via email servers, that contain a fake QR code in a bid to steal your credentials, most notably your Microsoft 365 credentials.

The emails that we have seen being blocked through our spam servers are;

  • Hackers email you stating that you have a voicemail that has been left for you. The email contains a QR Code and explains that you can listen to the voicemail message by scanning the QR code. The QR code takes you to a fake but genuine looking website portraying to be your Microsoft 365 Portal, you enter your details into the website, and your credentials have been breached.

To evade detection, the hackers have used various methods to bypass email filtering.

  • The QR Codes are generated on the day of the email being sent, meaning spam filters detection engines would have been playing catchup, as the reporting systems would have been slower to catch up.
  • Compromised Outlook accounts that are genuine emails addresses have been used in order to bypass spam filtering systems.
How can you keep yourself safe?

Whilst QR codes are great for setting up 2-Factor Authentication, or quickly scanning to take you to a particular website, or product page, we still need to ensure that we remain vigilant when we are being directed to the website, and not handing over our credentials for no reason. For example, if you have received an email stating that you have a voicemail, the only genuine place that this would be emailed from would be your phone system.


When receiving the email we need to;
  • Check the validity of the sender – ensure that the email address matches your phone system
  • If you do not use Microsoft Teams for your phone system, ask yourself, why is the phone system asking for my Microsoft 365 credentials, at this point stop, and speak with your IT team.
  • The simplest way of compromising a QR code, is to intercept a genuine email and remove the genuine QR code with a fake one, this is difficult to spot, and it is about ensuring you know why you have received a QR code, and what that QR code should do for you once you have scanned it.
  • When receiving a QR code from an internal system or external business, you can always confirm the code with the relevant internal or external IT teams to ensure it is valid and safe.
  • When a QR code asks for your login details, verify that the website is a genuine website, but to be extra safe, avoid at all times entering your details until you know 100% that the request for your credentials is genuine.


If you are receiving emails like this, or have received QR codes in the past, and have any concerns contact a member of our support team who can help you verify that you have not been involved in a scam like this.