Security experts warn of an innovative phishing technique that bypasses traditional defences, putting users at heightened risk
Cybercriminals are exploiting the widespread use of QR codes with a dangerous new phishing method called “Unicode QR Code Phishing,” which has been uncovered by security firm SlashNext. This latest tactic effectively bypasses traditional security measures, demanding immediate attention from both users and cybersecurity professionals.
QR codes have become an integral part of digital life, providing quick access to websites and information. However, this convenience has also made them a prime target for cybercriminals. Hackread reported a staggering 587 per cent increase in QR code phishing attempts in early 2024, with Check Point Software Technologies identifying 20,000 attack instances in just the first two weeks of the year. These statistics underscore the growing vulnerability of QR codes to malicious activities.
Typically, QR code phishing involves embedding image-based codes in emails or messages, which, when scanned, redirect users to malicious websites or trigger harmful actions. Many security vendors have developed tools to detect and block these threats effectively. However, cybercriminals have now devised a clever workaround: creating QR codes using Unicode text characters instead of images.
This “Unicode QR Code Phishing” method presents a significant challenge to conventional security defences, as most tools are designed to scan for suspicious images, not text-based codes. These Unicode QR codes, despite being text-based, are easily readable by smartphone cameras, making detection even more difficult. The same code can appear differently in plain text compared to how it’s rendered on a screen, further complicating identification.
The implications of this new phishing tactic are serious for both security professionals and end-users. Many existing QR code detection mechanisms may be rendered ineffective against this approach, putting even cautious users at risk.
SlashNext’s research stresses the importance of a comprehensive, multi-layered security strategy to combat these evolving threats. As phishing attacks are no longer confined to emails, they can now occur across various platforms.
To protect against these attacks, users are advised to avoid scanning QR codes from unknown sources, particularly those in emails or messages. It’s also crucial to verify the source of any QR code information found in public places before scanning.
