Los Angeles Wildfires Spark Email Scam Involving QR Codes

Generosity is one of the most powerful responses to a crisis. However, it can also become a target for misuse. Following the recent wildfires in Los Angeles, Check Point researchers identified an emerging trend: emails using embedded QR codes to redirect users to fraudulent donation pages. These scams aim to mislead donors into sharing personal details or funds under the guise of helping wildfire victims.

While the intent of these scams is clear—to profit from goodwill—their approach emphasizes the importance of awareness. QR codes, a convenient tool in many aspects of daily life, are increasingly used in online scams, making it crucial to verify the source before acting.

Key Findings from Check Point’s Latest Research:

  • Email-based phishing remains the top attack method, with 88% of all malicious files being delivered via email. QR codes are a growing part of this phishing landscape​.
  • AI-driven phishing scams have a 40% higher success rate, allowing fraudsters to craft more convincing donation requests​.
  • Disaster-related scams are increasingly common, with previous incidents showing a spike in phishing emails mimicking charities and government agencies after natural disasters​.
  • QR codes are a rising tool in phishing schemes, as they appear more legitimate and are harder to detect as malicious compared to traditional phishing links​.

In the last week, dry conditions and hurricane-force winds have fed several extreme wildfires in the Los Angeles area. The fires have caused 24 deaths, the decimation of 12,000 structures and 88,000 evacuations. More than 75,000 households, largely in Los Angeles County, are without electricity.

And now, we are seeing cyber scammers trying to capitalize on the calamity. Check Point researchers have identified roughly 80 recipients of a cyber attack that utilizes the wildfires as a pretense for QR code phishing and credential theft. 

A screenshot of a computer

Description automatically generated

The email-embedded QR code takes users to a credential harvesting page, where people are asked to input credentials. The primary goal of the attackers appears to be the theft of Microsoft account login details.

Other fire-related emails have been identified as donation and charity requests, further highlighting exploitation of the disaster for fraudulent purposes. 

Additionally, our researchers saw emails specifically asking for donations including pictures as seen in the example below.

Why This Scam is Effective and Concerning

  • Emotional Manipulation: Scammers leverage the urgency and emotional weight of a disaster to pressure people into donating quickly, bypassing their usual caution.
  • QR Code Trust Factor: Since QR codes are commonly used for payments and donations, recipients may not suspect them to be malicious.
  • Increased Reliance on Mobile Devices: Many people scan QR codes using their phones, which often lack the same security protections as desktops, making phishing attempts more successful.

Mitigations for Organizations

Develop and maintain an incident response plan that can quickly address and mitigate the impact of phishing attacks. Maintain both digital and paper copies.

Inform employees about how to identify and report suspicious emails. Reinforce the message that scammers can leverage QR codes for deceptive purposes.

Ensure that your organization has an advanced email security solution that can block phishing attempts, including those involving QR codes. Solutions like Check Point’s Harmony Email & Collaboration offer multi-layered protection. The aforementioned QR code attack was completely stopped by the SmartPhish security engine.

Deploy Mobile Device Management solutions to secure the mobile devices used by employees. MDM systems can help control permissions on devices, reducing the risk of QR code phishing-related harms.

Share on