Police warn of QR code phishing attacks

Bank fraud - PhishManager

The Dutch National Police are ringing the alarm bells for phishing attacks that contain QR codes. Scammers are are impersonating banks in the Netherlands and sending e-mails and even paper letters that contain QR codes that point to phishing websites.

These phishing mails copy the bank logo and other details to look legitimate. In some cases they even include the IBAN number of the victim. The message in this attack is instructing the recipient that they have to request a new banking card by scanning the (malicious) QR code with a smartphone. Upon visiting the phishing website the victim logs in at which point the attackers capture the credentials.

Risks of QR codes

A QR code (abbreviated from Quick Response code) is a type of two-dimensional barcode that can contain data including links to websites. QR codes can easily be scanned by smartphones and are a convenient method to quickly exchange data. QR codes are convenient because it saves people from manually typing an URL. These codes also prevent accidental typo’s.

QR code example
QR code example containing the phrase “Hello World” (non-malicious)

As convenient as QR codes may be, one should never trust any QR code to be authentic. For example in the past criminals have generated and printed their own QR codes to paste over POS terminals in China as early as 2017. This attack directs the victim’s funds not to the shop but to a criminal. A QR code in itself is not trustworthy and there’s no proof that the QR code you see has not been modified or malicious in any way.

To further increase the odds of the attackers they are also using URL shorteners, a method commonly used by phishing groups to obfuscate the phishing URL the victim will be sent to. URL shorteners are simple services that take a long URL (phishingsite.bad) and turns it into a shorter URL (btly.com/3253253). URL shortening services became very popular partly because of twitter which has a character limit. When you click on the shortened URL (btly.com/3253253) you are then redirected to phishingsite.bad and this is popular in phishing because the attacker is borrowing the legitimacy of the URL shortening domain.


  • It’s always good to stay alert. Don’t trust just any QR code.
  • If you don’t trust an email then don’t follow a QR code and don’t click any of the links and never reply.
  • If your bank really wants you to perform certain actions then go directly to their website as you would normally do.
  • You may also want to contact your bank about any suspicious communication being sent out under their name.

Recommendations for businesses

If you run a business and are concerned of sophisticated phishing attacks targeting your employees then you want to invest in security awareness training to mitigate risk. Effective security awareness training helps employees understand the security risks associated with their actions, proper cyber hygiene and to identify cyber attacks they may encounter via email and the web. Phishing simulation plays a large role as it functions as a diagnostic test and ensures memorized training. Partnering up with platforms like PhishManager is a great way to prevent employees from falling for actual phishing attacks that could have large repercussions.

About us

PhishManager helps businesses increase their defenses against phishing attacks. Our service uses on-demand training and “simulated phishing” to train your staff to recognize and report suspicious emails. By helping your staff attain practical security awareness skills, we also give you insights into the risk profile of your business and significantly lower the chances of compromise by cyber criminals.