A new phishing campaign is targeting employees with fake HR emails about performance reviews. The messages create urgency, mention pay updates and benefits, and include a QR code to access the file.
Security researchers warn this is a classic "quishing" attack. The QR code hides the destination URL, bypassing computer-based security tools and pushing victims to their phones where verification is harder.
Red Flags to Watch For
Several signs indicate a scam. The sender's email address doesn't match the company domain. The greeting is generic, like "Dear Techtips," rather than the employee's name. The email creates a false sense of urgency with a deadline and marks the message as "high importance." The QR code is the exclusive call to action, bypassing normal login procedures for recognized HR platforms like Workday or ADP.
QR code scams are growing because users trust the format. Scanning a malicious code can lead to credential theft, malware installation, or further compromise of company systems.
Protection Measures
Experts advise employees to never scan unexpected QR codes. Instead, access HR systems directly through known URLs or bookmarks. Verify the sender's full email address, watch for generic greetings, and confirm suspicious messages with HR through a trusted channel. Enabling two-factor authentication provides an additional layer of protection even if credentials are stolen.
The core defense is simple: when sensitive information is involved, don't trust the path an email provides. Use your own verified path instead.