Phishing Alert: Credential Phishing via QR Code

How this Scam Works

Members of the WashU community are being targeted by criminals using malicious QR codes to steal valuable and personal information. The QR codes targeting WashU credentials lead an unsuspecting victim to a fake WUSTL Key login page. If the victim enters any information on the malicious login page, they will unknowingly provide the criminals direct access to any data entered.

QR codes are a popular way for many legitimate organizations to share links, but, like all links in emails or texts, they are easily weaponized by criminals. These malicious QR codes can be embedded in an email, on a website, or even posted on a piece of paper hanging in public.

The example below shows a hacker informing the recipient that if they do not scan the QR code, it will result in their account being terminated. The QR code attached will lead the victim to a login page, where they are directed to enter their credentials.

In this example, the hacker tries to get the recipient to verify their two-factor authentication. For your safety, the QR code below leads to our real website. In the scam, the QR code leads to a fake Outlook log-in screen.

Once a hacker obtains credentials, they enter login information and trigger a Duo notification through either a call or push notification, hoping their victim approves it.

For more information about QR code attacks, please see the following article from our July 2022 issue of SECURED.

What you should do

You should never scan a QR code if you aren’t sure of the source. When scanning a QR code, look at the link before you travel to the website and verify it is sending you to the correct place. If the link looks suspicious or unrecognizable, find a different way to access the website through a trusted source.

Be skeptical of QR codes in public. If a QR code seems out of place, it is likely malicious.

If you receive an email like the example above, or any email containing QR codes, report it using the Phish Alert Button (PAB) in your Outlook interface. It’s always best to err on the side of caution and report anything that seems remotely suspicious. Our team will analyze all submissions and return them to you if they’re determined to be safe.

Never approve Duo notifications you did not request! If you ever receive any DUO push notifications you did not request, your account credentials have been compromised. In that situation, you should change your WUSTL Key password immediately using the steps on the page linked below.

If you think there is any possibility that you have turned over sensitive information to a scammer or criminal, you should change your WUSTL Key password immediately. If you are unsure if you interacted with this message by visiting the link or entering any information, please change your WUSTL Key password now.

You can change your password by visiting the guide at How do I Change my WUSTL Key Password – Information Technology or by finding the appropriate link in WUSTL ONE (

Stay Informed

Be sure to read our newsletter, SECURED, when you see it in your inbox or by visiting We cover the latest topics, resources, and best practices in information security.

Contact Our Office

If you have questions or concerns about this update, please contact the Office of Information Security by emailing As always, we appreciate your vigilance as we work together to keep WashU secure.