Windows 11 Update QR Code Phishing Scams: How To Spot Fake Emails

Microsoft’s decision to end support for its Windows 10 operating system this fall means that businesses will need to ensure that their hardware can support the Windows 11 upgrade.

The necessary OS upgrade has also created a window of opportunity for cybercriminals.

Hackers are fully aware that Microsoft will stop supporting Windows 10 on October 14, meaning you’ll no longer receive free program updates, critical security patches, or technical support.

So, businesses will either need to upgrade their Windows 10 devices to the new operating system, install the OS on supported devices, or replace any devices that don't meet the Windows 11 system requirements.

Cybercriminals are taking advantage of this period of flux to launch Windows 11 phishing schemes in order to trick unsuspecting users into accidentally doing something that can set off a cyberattack or data breach, such as clicking on an infected link or downloading a malicious file.

In this article, we’ll explore the ways in which cybercriminals are increasingly using phishing emails embedded with QR codes as a new line of attack to sneak into your systems to steal or compromise your data.

With this information, you’ll know what to watch for with these new phishing attempts and how to protect your business and sensitive information.

Windows 11 Update Phishing Scams: How They Work

Although Windows 11 was first released on October 5, 2021, the latest cyber incidents involving the operating system are designed to take advantage of this prime period as businesses and individuals look to upgrade to the new OS before the October 14 deadline.

Related Article: Windows 10 End of Life (EOL): Do Your Devices Support Windows 11?

Cybercriminals are sending emails impersonating Microsoft itself. On the surface, the fake emails purportedly from the company look legit: they use proper wording and grammar, and seem to have the correct Microsoft domain name.

One new wrinkle with these fraudulent email techniques is that they include a QR code.

In one example, the message within the email body reads:

“Dear (generic title)

To enhance security and streamline access to Office 365 services, we are implementing a new authentication process for mobile device access.

Action Required:

• Open your mobile device’s camera application.

• Scan the QR code provided in this email.

• Log into your Office 365 account using your credentials.

• Follow the on-screen instructions to complete the authorization process.”

The instructions are followed with a warning highlighted in red that reads:

“Failure to complete the authorization within 24 hours will result in access loss on your mobile device due to a cybersecurity issue.”

The urgency of the warning and call for immediate action is a common red flag signaling that it’s probably a phishing attempt.

What’s more, with this particular phishing email scam, when a user scans the QR code, the person is redirected to a malicious website. Once there, hackers bait individuals into entering personal information that the bad actors can then use to launch a malware or ransomware attack.

Although these latest phishing schemes are focused on Windows 11 updates, using QR codes to trick users into taking some harmful action has been on the rise in recent years.

One such Microsoft phishing scheme targeted the University of Pittsburgh in 2023. 

Cybercriminals sent out a QR code email threatening to delete all of the user’s Microsoft 365 applications, files, and emails, including Word, Excel, Outlook, and PowerPoint, along with cloud-based services apps like Teams and OneDrive, if the recipient didn’t scan the QR code within it.

In that particular email QR code scam, the subject line read: “ACT FAST NOW!!!”

These social engineering schemes have many variations and come in lots of different forms.

For example, bad actors often use phishing emails, malicious websites, and urgent pop-up warnings to prey on human emotions and convince them to take some action that will give them an opening into your network.

How To Spot Fake Microsoft Emails And Other QR Code Phishing Scams

According to published reports, 91 percent of cyber incidents start with a phishing email. The variety and sophistication of phishing attacks are making them increasingly harder to detect—even for cybersecurity experts.

Besides email phishing, other common types of phishing schemes include smishing, vishing, spear phishing, and business email compromise (such as whaling).

Employees tend to be overly confident in their ability to spot and avoid such scams, according to a newly released report by cybersecurity company KnowBe4.

While 86 percent of surveyed employees said they could confidently identify phishing attempts, nearly half admitted to falling for some type of cyberattack—including 24 percent who were a victim of a phishing attempt, according to the findings of KnowBe4’s “Security Approaches Around the Globe: The Confidence Gap” survey.

Today, hackers are using advanced tools like artificial intelligence and expanded financial resources to launch stealth ways to gain access into your network. 

Related Article: Deepfakes And AI Scams: How To Spot Them And Protect Your Business

Here are 10 top red flags that an email could be a phishing attempt:

• incorrect domain name
• poor grammar, spelling, or punctuation
• urgent tone calling for immediate action
• generic greetings
• requests for personal, login, or account information
• misaligned or poor quality images/logo
• prompts to click on a link, download a file, or scan a QR code
• random, fake virus pop-up alerts
• unexpected invoice or payment requests
• lack of security protocols (such as HTTPS)

What To Do If You Suspect An Email You Received Is A Phishing Attempt?

With the Windows 11 upgrade QR code phishing scams, be wary of unsolicited emails or phone calls alleging to be from Microsoft; the company won’t contact you about upgrading to Windows 11.

Although these types of social engineering schemes are getting harder to spot, there are concrete steps you can take to strengthen QR code email phishing prevention within your organization. 

1. Scrutinize emails:

• Carefully inspect unsolicited emails, particularly those with suspicious links or QR codes that require you to take some urgent action.
  
  
• Don’t scan any QR codes, click on any links, or open any attachments you believe are suspicious.
  
  
• Find another secure way outside of the email to verify that the information being requested is legitimate.
  
  
• Verify that any other emails and contact information within the email are accurate.

2. Verify website authenticity:

• Always use caution before clicking on links. Before clicking on a link from an unknown source, check to make sure that it’s legit.
  
  
• Make sure the URL is safe. Secure websites use hypertext transfer protocol secure (https), with https:// at the beginning of their URLs (although this isn’t always fool-proof).
  
  
• Hover over the suspicious link without clicking on it to compare the URL to the actual one. Look for any differences, such as typos, extra characters, or incorrect domain names and extensions.

3. Use strong security tools:

• Use robust antivirus and anti-malware software, spam filtering software, and next-generation firewalls to continually scan web traffic and emails and block threats.

Related Article: How Zero Trust Can Streamline NIST & CMMC Compliance For Your Business

• Use multi-factor authentication, an intrusion detection system (IDS), and endpoint protection security solutions to further protect your network, data, and devices.

4. Provide employee security awareness training

• Although employee cybersecurity education is part of your organization’s comprehensive security measures, it’s one of the most important ways to protect your business and IT infrastructure from lurking threat actors.
  
  
• Human error is responsible for upwards of 90-95 percent of data breaches.
  
  
• Regular employee cybersecurity training is a cost-effective solution to educate employees about the latest cyber schemes and how to avoid them.

5. Update your software:

• Schedule automated updates and patches of your software applications to ensure you’re using the newest version and receiving critical security fixes to fight new and emerging cyber threats.
  
  
• Using outdated software could send a signal to cybercriminals that your devices and systems are no longer getting manufacturer technical support or patches, leaving them vulnerable.

Related Article: 8 Hidden Cyber Risks That Might Be Lurking Within Your IT Environment

6. Report suspicious activity:

• According to the Knowbe4 survey, 56 percent of employees say they’re “very comfortable” reporting security concerns, yet 1 in 10 still hesitate to do so out of fear or uncertainty.
  
  
• By reporting their suspicions, this can allow your security team to quickly stop the threat in its tracks to prevent further intrusion within your network, evaluate the suspicious activity, and take any necessary action to eliminate the threat before it causes greater harm.
  
  
• Federal and state cybersecurity regulations often require businesses to report cybersecurity incidents, often within a specific timeframe following the event.

7. Clear your browsing history:

• Employees should regularly clear their browsing data by wiping their browser’s cache and cookies.
  
  
• This can boost your business’ privacy and security by helping to prevent unauthorized access and remove sensitive information.

8. Turn off your devices:

• Turn off your devices whenever possible.
  
  
• By cutting off access, this simple security measure can help make it harder for hackers to exploit hidden vulnerabilities.

The Bottom Line With Windows 11 Upgrade QR Code Phishing Campaigns

When it comes to email security, distinguishing between what’s real and what’s fake is becoming increasingly harder to do.

After reading this article, you now understand how bad actors are using the Windows 11 upgrade as an opportunity to launch new phishing campaigns.

As with any such cybersecurity threats, being prepared can save you from significant headaches down the road.

At Kelser, we write articles like this one to provide useful information to help small and medium-sized business owners like you make informed decisions about IT solutions that are right for your company, whether you choose to work with us or not.

Do you know if your devices can support the free Windows 11 upgrade? Need help checking your devices or installing the latest Microsoft OS? Click the button for a free, Windows 11 upgrade guide.