QR Code Phishing

QR code phishing emails are trying to compromise your LSE login credentials

hands-1167612_1280

26 September 2023

LSE staff and students are reporting more QR code phishing. Please exercise caution – these phishing emails are very deceptive!

To recap, phishing emails are a form of social engineering, which use psychological manipulation to steal personal information and compromise accounts. You can find more about phishing here: Iron Rule 1 | Beware of Phishing (lse.ac.uk)

MFA (Multi Factor Authentication) provides significant protection against compromise. However, phishing is intended to trick users with social engineering techniques, thereby getting around the controls we put in place, so please remember that technology-based solutions aren’t perfect.

These kinds of QR code phishing emails are trying to compromise your LSE login credentials.  Typically, they show a QR code (redacted in the following examples) for you to scan with your phone, and after asking you to input your LSE password, they will attempt to bypass your MFA. 

In this first example, the QR code phishing email is saying you need to scan the code to fix your MFA settings:


Screenshot 2023-09-26 at 10.07.22

Please note – LSE will never tell you via email to reset your LSE MFA by scanning a QR code.

Here’s another example saying the QR code needs to be scanned to set up your LSE MFA:

Screenshot 2023-09-26 at 10.09.13

What’s wrong with this email? Immediately, we have the same red flags as the first example, where you’re being asked to scan a QR code that you didn’t request in order to maintain security. You can also see grammatical errors – for example, “Lse” isn’t capitalised properly. The sender email was from a non-LSE domain (but you can’t see this, as it has been redacted in the screenshot for security).

In other cases, these phishing emails claim you won’t receive emails in your LSE inbox unless you scan the code:

Screenshot 2023-09-26 at 10.08.12

Pause and think! Social engineering will have a sense of urgency and threaten you with consequences if you don’t comply quickly. 

If you see QR code phishing, please report it to phishing@lse.ac.uk as a .eml/Outlook attachment by using the “Forward as attachment” option. Every report helps, even if it seems obvious to you! Please also encourage your colleagues and course mates to report QR code phishing (or anything else suspicious) to us the same way.