Palo Alto Networks breaks five myths during Cybersecurity Month

As is customary, the European Union Agency for Cybersecurity promotes European Cybersecurity Month. This is a pan-European campaign aimed at raising awareness among citizens and businesses about the most common digital risks. This initiative has become the main annual event dedicated to awareness, highlighting online fraud as well as new social engineering tactics.

Taking advantage of this celebration, Palo Alto Networks has wanted to debunk five of the most dangerous myths circulating about digital security. These myths endanger individuals and organizations with increasingly sophisticated attacks.

1. “Visiting a suspicious site is harmless if I don’t enter data or click on it”

The reality is that, in most cases, simply loading the page is enough for an attacker to obtain all the information within seconds. Cybercriminals use drive-by downloads, fingerprinting, and exploitation of zero-day vulnerabilities or browser flaws through malicious JavaScript to execute code or escape the computer’s desktop. In this sense, even if you close the tab, the download or tracking might already have started.

2. “A QR code in a public place is trustworthy”

Now, QR code phishing is on the rise, abusing legitimate redirects, anti-bot tools, and domains that imitate real services. In Spain, earlier this year, posters with a QR code were placed downtown Madrid to upload photos, accompanied by a bait message “David, you fooled me,” to attract passersby. Attackers hide the destination behind chains of redirects on legitimate sites and often manipulate QR codes in public spaces, parking meters, or signage, leading users to fake payment or login domains. Additionally, on mobile phones, camera previews show little context, making deception easier.

3. “I can detect phishing by the logo or design”

Nowadays, attackers use very similar domains and multiple redirects that start from known services via large platform redirects but end up on a perfect clone of the restaurant where you made a reservation, your usual parking lot, or your employer’s portal. A study by Unit 42, Palo Alto Networks’ threat intelligence team, warns that some actors incorporate Cloudflare Turnstile or other human verification methods to evade trackers and direct only real users to the final credential-stealing page.

4. “If something feels off, I’ll close it and that’s it”

In reality, when you decide to close, technical damage or tracking may already have been activated. In the first few seconds, the page could have triggered information downloads or malware installations, collected data like IP or location, and executed arbitrary code. Additionally, many phishing kits redirect to legitimate logins or 404 errors when they detect automation, hiding their infrastructure from security systems and complicating forensic analysis afterward.

5. “The risk is the same on my personal mobile as on the company device

The truth is, personal mobiles often lack EDR, advanced DNS/URL filtering, patch management policies, and containerization. Moreover, personal device usage is much higher across various activities such as scanning menus, making payments, posting reviews, or booking reservations, making it a more vulnerable attack vector for cybercriminals. A study by Unit 42, based on telemetry data, showed that phishing attacks are widespread in the US and Spain, affecting industries including healthcare, education, energy, and finance. Therefore, QR, SMS, or shortened link phishing are primary targets for cyberattacks outside of corporate networks.

How to Protect Yourself Against These Risks

To reduce exposure to these everyday threats, Palo Alto Networks recommends following basic digital security guidelines:

  • Keep browsers and operating systems always up to date with all security patches.
  • Avoid scanning QR codes or opening unknown links; when possible, search for the service first using a search engine.
  • Carefully examine URLs for similar or forged domains and misleading subdomains, verifying them with OSINT sources like VirusTotal or the PANW Test a Site tool.
  • Remember that closing the tab does not undo silent downloads or stop fingerprinting processes initiated when loading the page.
  • Never enter credentials or personal data after clicking a link received via SMS, email, or QR code.
  • Use advanced security solutions (EDR, DNS/URL filtering, or trusted antivirus) on both corporate and personal devices.
Scroll to Top