Does That Suspicious Email Contain A QR Code?

In some cases, suspicious emails might contain QR codes to take you to a web site for further action :-

For example :-

From: UoP Helpdesk <>
Subject: Mail Quota

Dear User,

Your email quota is close to being used up. To enable additional quote, please fill out the form found on the link below :-

In general, QR codes can contain web site addresses, but because they are encoded, it makes it harder for you to read them (so you can’t think “Hey! That looks odd”) and harder for security software to process them.

Anywhere where they appear where an ordinary link would serve just as useful service, should add some suspicion. Painted on the side of the building is another matter.

For example, in the email above :-

  1. There is no “To” and your address doesn’t appear in it.
  2. The “From” address is wrong both in terms of the “name” (we don’t have a “Helpdesk”, we have a “Servicedesk”) and in the form of the address ( – look where the “@” is, and the presence of “” as part of the bit before the “@”).
  3. The salutation (“Dear User,”) is generic and not specific. Legitimate emails can be generic but it’s still a suspicion point to add to the overall score.
  4. The “Your email quota is close to being used up” adds a sense of urgency to take the action before bad consequences.
  5. And lastly using a QR code instead of a web site address so you can’t inspect the address adds more suspicion.

This entry was posted in Active Attacks, Email and tagged , . Bookmark the permalink.