Passwords have been the main target of cyberattacks for years, but attackers’ techniques never stand still. A new, clever and dangerous tactic called Scanception aims to trick the user by transferring the attack from their email… to their mobile phone.

The Scanception campaign combines email phishing with the technique of quishing, or QR code phishing. The victim receives an “innocent” PDF with a QR code and is asked to scan it with their mobile phone to see more information. The result? The attack is transferred from the computer to the smartphone, a device that is usually less protected.

What is Scanception?

The word is derived from the combination of the words “scan” and “inception,” accurately describing what happens: the user initiates something that appears harmless but leads to a second, more dangerous “cycle” of attack.

The original email contains an attached PDF file, which hides a QR code at the end. When the user scans it with their mobile phone, they are directed to a fake login page that appears completely genuine. There, they enter their login details, which are recorded and intercepted. In some cases, the page can also install malware on the device.

Why This Tactic Is So Dangerous

The significant risk with Scanception is that it bypasses security systems. Most email security platforms detect and block malicious links within the body of the email. However, when a user scans a QR code and continues from their mobile device, these filters no longer apply.

Navigation is transferred to a personal, often unprotected environment, and the possibility of being “trapped” increases significantly, especially when the pages are designed to perfectly imitate well-known platforms (banks, cloud services, email providers).

Furthermore, many of these types of attacks slip under the radar of antivirus and detection platforms, as the files do not contain the malicious link explicitly; instead, they embed it within the QR code.

How You Can Protect Yourself

Some simple but essential prevention steps are:

  • Do not scan QR codes included in emails or PDF files unless you are sure of the origin.
  • Never enter passwords on pages opened via QR. Prefer to type in the official addresses of the services manually.
  • Educate your staff (or family) about new phishing techniques, especially those that exploit mobile use.
  • Extend security to smartphones, whether they are personal or professional devices.
  • Scan QR codes only in secure environments. You can use apps like this one from Trend Micro.

What If It Has Already Happened?

If you scan a QR code and are asked for information, or if you suspect that your mobile device or computer has been compromised, contact us immediately.

Our team can diagnose the issue, identify potential violations, and guide you on how to minimize the damage.