Quishing: Understanding and Preventing QR Code Scams

QR codes are older than you think. Originally developed in 1994 to better track automobile parts during the assembly process, QR codes (or Quick Response codes) were designed to store more information that a traditional barcode.

Their convenience and versatility have made them a staple across industries. You see them in everything from restaurant menus to customer check-ins and payment gateways. And while they have made life a whole lot more convenient, they’ve also opened the door to a new kind of cyber threat: Quishing.

A recent study found that over 20% of phishing attacks now involve QR codes. But why should your business be concerned?

Quishing attacks are specifically designed to exploit trust, often in situations where people least expect it. These scams can compromise sensitive information, expose your systems to malware, and damage your brand’s reputation.

Understanding how these attacks work and how to defend against them, is key to staying one step ahead. This guide will help you understand the growing threat of QR code phishing, explain how these attacks specifically target businesses, and provide you with practical tips to protect your brand while still benefiting from QR technology.

QR Codes and Their Risks

QR codes have become essential tools for many modern businesses, bridging the gap between physical and digital environments. From marketing campaigns to contactless payments, they offer a convenient way to share information and engage customers. But with that convenience comes risk.

What Are QR Codes and How Do They Work?

QR (Quick Response) codes are square-shaped barcodes containing a grid of black and white pixels that store information similar to traditional barcodes but with greater capacity.

When scanned using a smartphone camera or QR reader app, the code is decoded using the three distinct corner squares as alignment points. The remaining grid is then interpreted based on the colour of each square, revealing the embedded information. Once scanned, the code can trigger an action, such as opening a website, launching an app, or initiating a download.

Static vs Dynamic QR Codes

There are two main types of QR codes, each with different uses and security implications:

Static QR Codes: These contain fixed information that can’t be changed after the code is created. They’re ideal for simple, unchanging tasks like displaying contact information or menus. Since the data is hardcoded, they’re less prone to tampering.
Dynamic QR Codes: These work by linking to a short URL that redirects to content on a web server. The key benefit of dynamic QR codes is that you can update the destination or content without having to reprint the code. However, if the server hosting that URL is compromised, so is your QR code.

How Attackers Misuse QR Codes

Unfortunately, the very features that make QR codes so useful, speed, ease, and invisibility, also make them attractive tools for cybercriminals. Here are some of the most common attack methods:

Malicious URLs: QR codes can be used to embed links that, once scanned, download malware or redirect users to fake websites designed to steal data.
Quishing (QR Code Phishing): Attackers embed QR codes in emails or messages to bypass text-based security filters. When scanned, these codes lead to phishing sites that trick users into entering sensitive information.
Code Tampering: In public spaces, scammers sometimes replace legitimate QR codes with malicious ones, either by pasting over them or subtly altering the design.
Attagging: This technique involves cloning an existing, trusted QR code and modifying it to redirect to a fraudulent site that mimics the original, catching users off guard.

These tactics are alarmingly effective and difficult to detect if you don’t know what you are looking for. In fact, studies show that a majority of people can’t tell the difference between a safe QR code and a malicious one. And, since mobile devices often lack the robust security protections found on desktops, your team may unknowingly expose sensitive data simply by scanning a compromised code.

How Quishing Works: A Breakdown

Cybercriminals are constantly expanding their toolkit, and quishing, QR code phishing, is one of the latest tactics gaining traction. These attacks are cleverly designed to bypass traditional security measures and prey on user trust.

Email-Based QR Phishing

One of the most common quishing methods involves embedding malicious QR codes in emails or PDF attachments. This creates a major blind spot for traditional email security systems, which are built to scan text and hyperlinks, not images.

Instead of placing a clickable link in the body of the email (which could trigger spam filters), attackers embed a QR code that leads to a malicious site. Increasingly, these codes are also hidden inside PDF attachments rather than the email itself, making them even harder to detect.

The scale of the threat is no small issue. In just three months in 2023, researchers identified over 500,000 phishing emails using QR codes hidden in PDFs. These emails often impersonate major brands to harvest login credentials.

Physical QR Code Placement

Attackers have begun placing fraudulent QR code stickers in public places, disguising them as legitimate tools to trick unsuspecting users. One common tactic is swapping out payment QR codes on parking meters, fuel pumps, or restaurant menus.

Fake Branding and Urgent Language

The power of quishing lies in its psychology. Most attacks use trusted brands like Microsoft, DocuSign, PayPal, or Adobe to establish credibility. Then they apply pressure through carefully crafted messages that tap into fear, curiosity, or urgency. Some of the most common scare tactics include:

“Your account will be suspended due to unusual login activity.”
“A recent payment failed. Scan now to resolve the issue.”
“This offer is only available for the next 15 minutes!”
“Legal action will be taken unless you respond immediately.”

These urgent prompts encourage people to scan the code quickly, without stopping to verify its legitimacy. Once scanned, the victim is usually led to a realistic-looking but fake login page where their credentials or personal information are harvested.

Why Businesses Are Prime Targets for Quishing

For many organisations, the use of QR codes has become embedded in everyday business operations. The convenience that makes QR codes so appealing for customers and employees alike is the very trait that introduces hidden vulnerabilities.

Credential theft and data breaches: Malicious QR codes often redirect users to phishing sites designed to steal login credentials. Once compromised, attackers can access sensitive systems, leading to data breaches and loss of confidential business information.
Fraud and ransomware: Some QR code scams trigger downloads of malicious software that enable fraud, financial theft, or even ransomware attacks that can lock your systems until a payment is made.
Reputation damage and compliance risks: If customers or employees fall victim to a QR code attack linked to your business, the fallout can include a damaged reputation, loss of trust, and potential non-compliance with privacy regulations.

Employee Behaviour and Security Blind Spots

If the use of QR codes are common in day-to-day business, your employees may scan QR codes without a second thought. And that’s exactly the problem. Whether it’s a code on a flyer, an email attachment, or a delivery package, attackers rely on this blind trust to trick employees into opening doors to your systems.

Hybrid Work Environments and BYOD Vulnerabilities

With the rise of hybrid work, the attack surface has expanded far beyond the office.

Over 50% of businesses allow personal devices at work
70% of employees use personal devices for work-related tasks
Most personal smartphones lack enterprise-level security controls

This Bring Your Own Device (BYOD) culture means employees are often scanning QR codes outside the reach of your IT department. If malware is installed or credentials are phished via a QR code on a personal device, the employee and your business may never know until it’s too late.

Supply Chain Risks and Vendor Impersonation

Cybercriminals increasingly use vendor impersonation and supply chain attacks to infiltrate business networks. Attackers create emails that appear to come from trusted partners or service providers, embedding QR codes that link to fraudulent portals. Even third-party QR code generator platforms pose a risk if not properly vetted, opening up potential backdoors into your systems.

Cybercriminals commonly pose as HR departments, sending QR codes supposedly linking to benefits or payment documents. This gives attackers a seemingly legitimate reason to request sensitive actions, such as logging into employee portals or submitting personal information.

Once scanned, these malicious codes often redirect users to spoofed login pages designed to harvest credentials or deploy malware. In some cases, a single compromised account can provide lateral access across systems, allowing attackers to escalate privileges, steal data, or deploy ransomware across your network.

Customer-Facing QR Code Risks

Quishing isn’t just an internal risk. Digital menus and self-check-in kiosks to scan-to-pay systems, QR codes have transformed the customer experience. If an attacker tampers with or replaces one of your QR codes in the wild, customers may be redirected to phishing sites, infected with malware, or duped into sharing personal or payment information—all under the impression they’re interacting with your brand. This can result in more than just financial loss, it can erode customer trust, too.

Warning Signs and Red Flags: Spotting a Quishing Attempt

As QR code phishing (quishing) becomes more sophisticated by the day, knowing how to spot the warning signs is essential to protect your business from potential risks and breaches:

Visual Indicators of Tampered or Malicious QR Codes

Many quishing attacks begin with a subtle physical change. Cybercriminals often place fake QR code stickers over legitimate ones, especially in high-traffic areas. Before scanning an unknown code, look out for:

QR codes that seem misaligned, smudged, or poorly printed
Spelling mistakes or strange grammar in the accompanying text
QR codes placed in odd or unexpected locations
Lack of explanation about what the QR code does

If something feels off, it probably is.

Behaviour After Scanning a QR Code

Some advanced attacks exploit weaknesses in a browser’s security. Because your device renders QR code content visually (as an image), malicious code can bypass protective layers, allowing attackers to gain access to the device.

This means that even if you’re using browser isolation or security software, simply scanning a malicious QR code can trigger an action. So, what happens immediately after scanning can also be a red flag. Be alert for:

Automatic file downloads: avoid installing any files prompted by a scan
CAPTCHA pages (e.g. Cloudflare): These may be used to evade security tools
Slow or multiple redirects before reaching the final page
Landing pages that mimic legitimate websites but have minor visual or URL differences
Unexpected requests for passwords, bank info, or login credentials
Messages claiming the first login attempt failed and requesting a second try
Forms asking for more personal information than seems necessary

Even if a page looks familiar, double-check the URL and don’t enter sensitive information without verifying authenticity.

Tips to Prevent Quishing in Your Business

Fortunately, QR code security doesn’t have to be complex. With the right mix of awareness, technology, and layered defences, your business can continue to benefit from QR codes, without leaving the door open to cybercriminals.

Start with Awareness and Education

Your employees are the first line of defence against any cybersecurity threat, including quishing attacks. Since many users struggle to differentiate between legitimate and malicious QR codes, educating and raising awareness within your team is crucial. Empowering your staff with the knowledge to recognise threats before they act can dramatically reduce the risk of falling victim to a quishing attempt.

Think Twice Before Scanning: Encourage your team to pause and assess QR codes before scanning them. It is important to reinforce the idea that not all QR codes are safe, and scanning an unfamiliar one can lead to serious consequences. The golden rule? if it feels suspicious, it probably is.
Recognise Urgency and Pressure Tactics: The reason many phishing attacks work is because they create a sense of panic or urgency that pushes people to act quickly without thinking. Legitimate businesses rarely demand immediate action or personal information through QR codes. If you are unsure, an email or phone call to the company can verify any important requests.
Examine QR Codes: Physical manipulation is one of the most common ways cybercriminals can trick people into scanning malicious QR codes. Does the code appear crooked or poorly printed? Are there signs that a code has been added over another? Is the code in an unusual or unexpected location? If a QR code appears out of place or suspicious, avoid scanning it and report it.
Promote Healthy Scepticism: Sometimes, the best defence against a quishing attempt is simply trusting your instincts. It is always better to be safe than sorry. Encourage a culture where employees aren’t afraid to question the legitimacy of a QR code, especially if they weren’t expecting it.
Create a Culture of Caution and Vigilance: By fostering a culture of caution, where security awareness is embedded into everyday practices, you can reduce the risk of employees unknowingly becoming targets.

Never Share Sensitive Information via QR Codes

Legitimate businesses rarely request login credentials, banking details, or personal data through QR code links. Be wary of sites that ask for this kind of information after scanning. To add an extra layer of protection, implement multi-factor authentication for any passwords, so even if credentials are compromised, attackers can’t access your systems.

Hover, Preview, and Verify QR Links

Before scanning any QR code, take a moment to preview where it’s actually taking you. Many modern mobile security apps and QR scanners now include features that let you see the destination URL before it opens- use them. Be especially cautious if you notice:

Misspelled domain names that look almost, but not quite, like a legitimate website

Suspicious or shortened links (like bit.ly or tinyurl) that obscure the real destination
QR codes sent after hours or with no explanation or context

When in doubt, type the website address manually into your browser or reach out to the source directly to confirm it’s legitimate. A few extra seconds can protect you and your business from a serious security breach.

Email Protection: Your First Line of Defence

Most quishing attempts for businesses start with a malicious email. Keep your email security filters and blocklists updated. Use advanced platforms like Microsoft Defender for Office 365, which can extract and scan embedded QR codes before they reach your team. For added protection, configure email authentication protocols like:

SPF (Sender Policy Framework): An email authentication method: An email authentication method that lets domain owners specify which mail servers are allowed to send emails on their behalf. This helps prevent spoofing by verifying the sender’s IP address.
DKIM (DomainKeys Identified Mail): This adds a digital signature to the email header to confirm the message hasn’t been altered during transit and that it truly comes from the claimed domain. It ensures the integrity and authenticity of the message.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): Builds on SPF and DKIM by allowing domain owners to publish policies on how unauthenticated emails should be handled (e.g., reject or quarantine). DMARC also provides reporting, giving visibility into potential spoofing attempts and domain misuse.

Build a Multi-Layered Security Strategy

However, no single tool can stop quishing (or other security risks) on its own. A layered approach gives you better visibility and control. Your security stack should include:

Endpoint Detection & Response (EDR): Monitors devices in real-time, detects unusual behaviour, and isolates compromised endpoints automatically.
Mobile Device Management (MDM): With employees often scanning on personal phones, MDM ensures consistent security policies, detects risky apps, and can isolate infected devices fast.
Advanced Anti-Phishing Tools: AI-powered detection systems scan QR codes in attachments, run embedded links in sandboxes, and check URL reputations before exposure to end users.

Stay Proactive with Regular Backups

If a quishing attack slips through, regular backups will keep you one step ahead. Backup your business-critical data frequently and ensure backups are stored offline when not in use. This protects you from ransomware and other forms of data loss.

Is Your Business Prepared?

Cyberthreats and scams are evolving faster than ever, and QR code scams are a prime example of how criminals exploit convenience, human behaviour, and overlooked security blind spots. Thus, your defence and security strategy must match these sophisticated attacks in both depth and breadth.

But let’s face it: as a busy business owner, staying on top of every emerging threat isn’t always possible. That’s where we come in.

At CRT Network Solutions, we make cybersecurity simple and effective. Our managed IT security services provide 24/7 monitoring, proactive maintenance, and expert support to detect and prevent issues before they disrupt your operations, compromise sensitive data, or impact your bottom line.

Don’t wait for a breach to find out where your vulnerabilities are. Contact us today to learn how our tailored security solutions can help keep your business safe, productive, and one step ahead.

Request A Free Quote