You can protect yourself with a bit of equally old advice.
At this time of year, an email about your annual benefits or bonus may not seem unusual. So you open the attached Word document, only for the app report that the file is corrupted but can be recovered. If you choose to recover the content, much less scan the QR code that appears, boom—you’ve fallen prey to a phishing attack.
As reported by BleepingComputer, users tricked by this scheme are routed to a fake Microsoft login page that steals credential info if it’s entered. And because the sketchy content isn’t immediately scannable within the document, this ploy can evade antivirus software. The phishing attack may not be anything new, but this method of deployment is.
Fortunately, the primary solution to protect yourself is the same as ever—be wary about opening email attachments. Don’t open files sent by unknown or unexpected senders and even consider if a trusted contact has real cause to pass them along.
You can take other steps for safety, too, like being cautious of links in messages unless you requested the email. You’re better off opening a browser tab, navigating to the official website for the service, and then entering your credentials.
Switching to passkeys as your way of logging into your account also reduces the risk of falling for a phishing scheme. Unlike passwords, passkeys are tied to the device they were created on (or service, if you save them to a password manager). The decryption process involves communication between the device and the website, so if someone tries to use a direct copy of a passkey, the attempt will fail.
