Home - Article

Featured Article

July 28, 2025

QR Code Scams Surge as 'Quishing' Becomes a Mainstream Cyber Threat


Key Takeaways:

  • QR code phishing, or “quishing,” is a rising threat that exploits consumer trust in QR codes for malicious purposes.
  • Fake QR codes are increasingly placed in public places, unsolicited packages, and phishing emails to harvest personal information or distribute malware.
  • Regulatory bodies like the FTC and USPS are issuing alerts, and enterprises are evaluating new security protocols to mitigate risk.
  • Experts warn that widespread QR adoption, minimal user awareness, and poor device-level protection make quishing particularly dangerous.
  • The surge in quishing incidents has led to new research and corporate security initiatives focused on mobile-first cyber hygiene.

The Rapid Rise of Quishing

QR codes have become deeply embedded in daily life—used at restaurants, bus stops, in advertisements, and for logging into apps or verifying information. But with convenience has come a new type of digital threat: quishing, a portmanteau of "QR code" and "phishing," which is now being flagged as one of the fastest-growing attack vectors in cybersecurity.

The threat is simple but effective: a malicious actor generates a QR code that, when scanned, redirects the victim to a spoofed website or downloads malware onto the device. These fake QR codes are placed in high-traffic areas like parking meters, restaurants, event flyers, or even mailed directly to consumers in what is known as a “brushing scam.” Once scanned, the QR code may prompt the user to enter login credentials, payment information, or inadvertently download spyware.

According to KeepNet Labs, malicious QR codes now account for 26% of all reported phishing attacks involving URL redirects—up from 20% the previous year. This steady climb has drawn the attention of regulators and security professionals alike.

From Trendy to Treacherous: How Quishing Works

Quishing attacks don’t need sophisticated delivery methods. In one common approach, scammers send unsolicited packages, sometimes disguised as product giveaways or delivery confirmation notices, that include QR codes labeled with vague instructions such as “Scan to confirm” or “Track your item.” These links often take users to pages that appear legitimate—Amazon, USPS, or credit card portals—but are designed to collect data or install malware.

Another variation involves tampered public QR codes. At a public parking kiosk in Austin, Texas, dozens of drivers were duped into paying for parking via a QR code that directed them to a fraudulent payment portal. The attackers simply pasted a sticker with their QR code over the real one.

Emails and text messages are another popular delivery method. A message may impersonate a bank or delivery service and prompt the user to scan a QR code to secure their account or retrieve a package. These campaigns are frequently designed to trigger a sense of urgency, a hallmark of successful phishing attempts.

“The emotional play here is the same as traditional phishing—urgency, fear, or reward,” said Dustin Brewer, a cybersecurity expert at BlueVoyant. “But what makes quishing particularly dangerous is the assumption that QR codes are safe. People just don’t think of them as threats.”

Lack of Safeguards Makes QR Codes Ideal for Hackers

Unlike links in emails, which are often scanned by email security filters, QR codes frequently bypass corporate cybersecurity tools. Since the interaction happens on a user’s smartphone—which may not be protected by the same endpoint detection systems as their work computer—malware can quietly take root without triggering alarms.

The lack of transparency compounds the issue. When a QR code is scanned, the URL is typically not previewed clearly before the user is prompted to take action. Unlike an email, where one can hover over a hyperlink to reveal a suspicious address, mobile operating systems often obscure the true destination until it’s too late.

Recent research from Netcraft showed that 1 in 3 users in a controlled test engaged with a malicious QR code in a simulated environment. And that’s in a test scenario—real-world effectiveness is often higher due to distractions or assumptions of trust.

“There is no innate verification layer for QR codes,” said Gaurav Kumar, CTO of cloud security firm RedMarlin. “Unless you’re using a QR code scanner app with security features—which most people aren’t—you’re essentially clicking blind.”

Authorities Issue Consumer Alerts

In response to growing incidents, both the Federal Trade Commission (FTC) and the United States Postal Inspection Service (USPIS) have issued alerts advising consumers not to scan unsolicited QR codes. The FTC emphasized that QR codes in unexpected messages, packages, or signs should be treated with the same skepticism as suspicious links in email.

“Don’t scan a code just because it looks official,” the FTC warned in a consumer alert earlier this year. “Scammers are counting on people to trust what they see without verifying where it leads.”

Similarly, the USPIS cautioned that scammers are increasingly using postal scams that contain QR codes with vague tracking information or sweepstakes claims. In one incident, a consumer received a QR code in the mail that, when scanned, installed spyware mimicking a legitimate delivery tracker.

Enterprise Impact and Response

As more organizations rely on mobile-first interactions with customers—QR-based payments, loyalty programs, and authentication—the need to secure these interactions has become urgent.

Enterprises are beginning to incorporate QR code vetting into their cybersecurity protocols. Some are adopting tools that verify the destination of QR links before loading them, while others are educating employees and consumers on how to spot signs of quishing.

In the healthcare industry, where QR codes are increasingly used for patient check-ins and prescription tracking, security guidelines are now being revised to include QR-specific risk assessments.

The financial sector, too, is under pressure. Banks are now warning customers that QR codes used in marketing campaigns or mobile apps should be verified via official channels. “We’re telling our customers: if you didn’t ask for it, don’t scan it,” said a spokesperson from a major U.S. bank.

Preventive Measures for Individuals

Experts recommend a few simple practices to reduce the risk of falling victim to a quishing attack:

  1. Preview the link: Many phone cameras or QR scanning apps now allow users to preview the destination URL. Take a moment to verify the domain before clicking.
  2. Avoid scanning unsolicited codes: If you receive a QR code in a message or package you weren’t expecting, treat it with caution.
  3. Use QR code scanning apps with security features: These apps often flag or block links that lead to suspicious or known malicious websites.
  4. Don’t download apps or enter credentials through a QR link: Instead, go directly to the app store or official website.

A Mobile Threat That’s Here to Stay

Quishing is not a passing fad—it’s a reflection of broader trends in cybercrime. As mobile usage continues to outpace desktop, attackers are shifting their focus accordingly. The simplicity, scalability, and effectiveness of QR-based attacks make them especially appealing.

“There’s a false sense of security when it comes to QR codes,” said Brewer. “They’ve been marketed as helpful, fast, and touchless—which they are. But in the wrong hands, they’re also a powerful entry point for bad actors.”

Cybersecurity researchers and regulators agree that the best defense is awareness. With QR code usage unlikely to decline, the challenge will be to increase education and implement layered protections—before attackers gain an even stronger foothold in this growing threat vector.




SHARE THIS ARTICLE
Apex Technology Services
Choose from comprehensive, affordable solutions for IT consulting, network services and computer help desk support in Fairfield county including Norwalk, Darien, Stamford, Greenwich, Ridgefield and Bridgeport. Also Westchester county including Rye, New Rochelle, White Plains, Yonkers and New York including Manhattan and the five boroughs.
IT SERVICES

IT SERVICES

Apex Technology Services is a cutting edge MSP offering quality IT support to financial, medical, legal, Fortune 500 and government agencies while adhering to the highest of quality...

LEARN MORE
CYBERSECURITY Services

CYBERSECURITY

Apex Technology Services has the cybersecurity expertise to help your business in a world filled with attackers looking to shut down your business hold it ransom or steal your valuable...

LEARN MORE
CLOUD SERVICES

CLOUD SERVICES

Apex Technology Services delivers a combination of traditional IT functions such as infrastructure as a service (IaaS), applications, software, security, monitoring, storage...

LEARN MORE

Ranked Top 10 Network security Solution Provider

One Stop Shop For All Your Technology Needs


Contact us Now!