In our digital lives, convenience often trumps caution. Case in point: QR codes. These pixelated squares have become ubiquitous—on restaurant tables, product packaging, event posters, and even parking meters. Just point your smartphone camera, click a link, and you’re instantly connected to whatever information awaits.
But there’s a dark side to this convenience that cybercriminals are exploiting with alarming success.
The Troubling Rise of “Quishing”
QR code phishing—“quishing” as security experts now call it—has exploded in the past year. According to a recent report from Cloudflare, QR code-based phishing attacks increased by over 50% in the first quarter of 2025 compared to the same period last year.
Why the sudden surge? The answer lies in human psychology and pandemic-accelerated behaviors.
During the COVID-19 pandemic, QR codes transformed from novelty to necessity. We grew accustomed to scanning them for menus, check-ins, and contactless payments. That behavioral conditioning never fully reversed, and cybercriminals have noticed our collective drop in vigilance.
“QR codes create a perfect storm for attackers,” writes security researcher Brian Krebs. “They’re visually unreadable to humans, they trigger immediate action, and they successfully bridge the physical and digital worlds in a way that bypasses many traditional security checks.”
How QR Code Phishing Works
The most common quishing tactics I’ve researched for my upcoming book include:
- Physical replacement scams: Criminals place fraudulent QR code stickers over legitimate ones on parking meters, restaurant tables, or other public locations. When scanned, these codes redirect to convincing payment portals that steal credit card information.
- Malicious email QR codes: Instead of suspicious links that might trigger email security filters, attackers embed QR codes in emails, claiming they lead to invoices, delivery tracking, or account verification pages.
- Promotional deception: Fake promotional materials (digital or physical) promise discounts, free products, or contest entries via QR code, but actually lead to credential harvesting sites or malware downloads.
What makes these attacks particularly effective is that many mobile browsers don’t display the complete URL before loading the page, and most people wouldn’t recognize a suspicious URL even if they saw it.
Real-World Quishing Examples
Recently, residents in Seattle found parking meters plastered with fraudulent QR codes claiming to offer a “convenient payment option.” The codes actually led to a convincing payment site that stole credit card details and personal information from dozens of unsuspecting drivers before authorities caught on.
In another recent case, a national restaurant chain discovered that scammers had replaced legitimate table QR codes with fraudulent ones in several locations, redirecting diners to “special discount” pages that harvested payment information.
Protecting Yourself from QR Code Scams
Having spent months researching these techniques for my cybersecurity book, I can offer these practical safeguards:
- Verify before scanning: Question whether the QR code makes contextual sense. A parking meter suddenly offering QR payment when it uses phone app payments should raise suspicions. Look for signs of tampering: stickers placed over existing codes or poorly printed materials.
- Check URLs before clicking through: Most phone cameras now show the link destination before automatically opening it. Take a moment to examine this URL. Does it match the expected organization? Is it unusually long or contain strange characters?
- Use direct sources when possible: If a restaurant offers a QR code menu, check if you can also find their menu directly through their website or via trusted restaurant apps such as OpenTable and Resy.
- Consider a QR scanner app with security features: Several security companies offer QR scanning apps that check for malicious links before opening them—an extra layer of protection worth considering.
Examples include:
- Trend Micro QR Scanner
- Kaspersky QR Scanner
- Important Note: As of March 2025, Kaspersky antivirus software is prohibited in the United States. The U.S. Department of Commerce banned the sale of Kaspersky’s cybersecurity and antivirus products, citing national security concerns due to the company’s Russian origins. This ban took effect on July 20, 2024, and also prohibited providing updates to existing software after September 29, 2024.
- Privacy Friendly QR Scanner
- ReveaQR
The most important defense? Breaking the automatic scan-and-click habit we’ve developed. A moment of verification before scanning can save hours of dealing with fraud or identity theft later.
In Summary
As I work through the chapter on emerging threats for my book, QR code phishing stands out because it so effectively bridges our physical and digital worlds. The convenience these codes offer isn’t disappearing, so our awareness must increase instead.
The next time you encounter a QR code in the wild, pause. Ask yourself: Do I know where this will lead me? Is there another way to access this information? That momentary hesitation might be your best protection against this growing threat.
What’s your experience with QR codes? Do you scan them without thinking, or do you have a verification process? Share your thoughts or questions in the comments below.
What’s Next
Adventures of a Sage is currently exploring personal cybersecurity topics to help everyday users protect their digital lives. Follow along as I share insights from my journey writing a comprehensive book about this topic.
Return here for updates. Or, connect with me:
The Sage’s Invitation
The path to digital security is a shared endeavor. Join me—share your thoughts on the cyber challenges you foresee in 2025 below or on X with #adventuresofasage. Together, we can navigate this landscape with wisdom and care to block the bad actors. Sign up for email alerts using the form below.
PS—If you don’t see the signup form below, your browser is blocking the form with its security settings, or with a plugin. Here’s an alternate form to get you subscribed.
Leave A Comment