The widespread adoption of QR codes has created a new attack vector for cybercriminals. As QR codes have become ubiquitous in restaurants, retail stores, transportation, and marketing, attackers have adapted their techniques to exploit the trust that people place in these scannable codes. QR code security attacks, collectively known as "quishing" (QR code phishing), have grown significantly since 2023 and continue to evolve in 2025. The very feature that makes QR codes useful, the inability for humans to read the encoded URL just by looking at the code, is also what makes them dangerous. Users scan a code and are taken to a destination without any way to verify where they are going beforehand.
Understanding these risks is essential for both QR code creators and users. To create secure QR codes for your own campaigns, use the QR Code Generator tool, and to verify the safety of QR codes you encounter, use the QR Code Reader tool, which displays the decoded URL before you open it. For best practices on designing effective QR codes, see our guide on QR Code Best Practices for Marketing Campaigns.
How QR Code Attacks Work
QR code attacks exploit the gap between the physical and digital worlds. A victim sees a QR code in a physical location, on a flyer, a poster, a restaurant table, or even a parking meter. They scan the code with their phone, and without seeing the URL, they are taken to a malicious website. The attack works because the QR code bypasses the user's normal security screening. When clicking a link in an email or on a website, many users have learned to hover over the link to check the destination URL before clicking. QR codes offer no such opportunity for verification.
QR Code Phishing (Quishing)
Quishing is the most common QR code attack. Attackers create QR codes that link to fake login pages designed to steal credentials. A typical quishing attack might involve placing a fake QR code on a parking meter that directs users to a page that looks like the official parking payment portal. When the user enters their credit card information and license plate number, the data is captured by the attacker. Quishing attacks have been particularly effective because they target trusted, mundane activities like paying for parking or viewing a restaurant menu, situations where people are not on high alert for security threats.
Malicious Redirects and Drive-By Downloads
Some QR codes lead to websites that automatically initiate a download of malware onto the user's device. These drive-by download attacks exploit browser vulnerabilities to install spyware, ransomware, or banking trojans without the user's knowledge. In other cases, the QR code leads to a page that prompts the user to download a malicious app disguised as a legitimate update or tool. Mobile devices are particularly vulnerable because users are less likely to have antivirus software installed compared to desktop computers.
| Attack Type | How It Works | Target | Potential Damage | Prevalence (2025) |
|---|---|---|---|---|
| Quishing (phishing) | QR code links to fake login page | Credentials, payment info | Account takeover, financial theft | Very high |
| Drive-by download | QR code leads to malware download | Device compromise | Data theft, ransomware | High |
| QR code overlay | Sticker placed over legitimate QR code | Public QR code users | Credential theft | Medium |
| Malvertising | QR code leads to malicious ad network | Ad viewers | Malware, scam pages | Medium |
| Social engineering | QR code with urgent/enticing message | Emotional manipulation | Various fraud types | High |
Real-World Examples of QR Code Attacks
QR code attacks are not theoretical. In 2024, a major attack involved fake QR codes placed on parking meters in several US cities. Victims scanned the code to pay for parking and were directed to a convincing replica of the official parking payment portal. The attackers captured credit card numbers, expiration dates, CVV codes, and license plate information. Another attack targeted restaurant patrons by placing stickers with malicious QR codes over the legitimate codes on table tents. Victims who scanned the code to view the menu were instead taken to a fake survey page that requested their email address and phone number, which were then sold to spam lists.
In a sophisticated attack targeting a European energy company, attackers sent phishing emails containing QR codes rather than traditional links. Because many security email gateways do not scan QR codes embedded in email attachments or PDFs, the QR code bypassed the company's email security entirely. Employees who scanned the code with their personal phones were directed to a credential harvesting page, and the stolen credentials were then used to access the corporate network from personal devices that were not subject to the same security controls as company-managed devices.
Protecting Yourself as a User
As a user of QR codes, there are several steps you can take to protect yourself from attacks. First, always inspect a QR code before scanning it, especially if it is in a public place. Look for signs of tampering, such as a sticker placed over an existing code, a code that looks misaligned or crooked on a poster, or a code in an unusual location. When scanning a QR code, use a QR code reader app that shows you the decoded URL before opening it, rather than relying on your phone's default camera app, which may open the URL immediately. The QR Code Reader tool allows you to upload an image of a QR code and see the decoded URL without risking your device.
URL Verification
Always verify the URL before navigating to it. Check that the domain name is spelled correctly. Attackers frequently use typosquatted domains that look like legitimate ones, such as "paypaI.com" with a capital I instead of a lowercase l, or "g00gle.com" with zeros instead of o's. If the URL looks suspicious, do not visit it. Be particularly cautious of URLs that use URL shorteners, as these hide the actual destination. If a QR code claims to lead to a well-known service like PayPal, Google, or Amazon, but the decoded URL is a shortened link or an unfamiliar domain, it is likely an attack.
Protecting Your Business as a QR Code Creator
If you create QR codes for your business or marketing campaigns, you have a responsibility to protect your users. Use a trusted QR code generator like the QR Code Generator that creates codes with the highest error correction level to prevent tampering. Avoid using URL shorteners in your QR codes, as they reduce transparency and make it harder for users to verify the destination. If you must use a URL shortener for analytics purposes, ensure it is from a trusted provider and that you regularly audit the redirect destination.
Physical Security of QR Codes
For QR codes displayed in physical locations, physical security is essential. Use materials that make tampering obvious, such as codes printed directly on signage rather than on stickers that can be removed and replaced. If you must use stickers, use tamper-evident materials that show visible damage when removed. Regularly inspect your physical QR code placements for signs of tampering. For digital QR codes, such as those in emails or on websites, ensure the code is embedded directly in the content rather than loaded from an external source that could be compromised.
| Protection Measure | For Users | For Businesses | Effectiveness |
|---|---|---|---|
| Use a QR code reader that shows URLs | Yes | N/A | High |
| Inspect physical codes for tampering | Yes | Yes | High |
| Verify URL before visiting | Yes | N/A | High |
| Use tamper-evident materials | N/A | Yes | Medium |
| Regularly inspect code placements | N/A | Yes | High |
| Use high error correction level | N/A | Yes | Medium |
| Avoid URL shorteners | N/A | Yes | Medium |
The Future of QR Code Security
As QR code attacks continue to evolve, new security measures are being developed. Some smartphone manufacturers are adding QR code scanning features that display the decoded URL in a large, readable format before navigation. Security companies are developing QR code scanning apps that check URLs against databases of known malicious sites before displaying them. Dynamic QR codes with real-time verification are emerging, where the QR code itself contains an encrypted signature that can be verified by a trusted server before redirecting the user. While these measures will help, user awareness and caution remain the most effective defense against QR code attacks. Never scan a QR code from an untrusted source, always verify the destination URL, and report suspicious QR codes to the relevant authority.
Conclusion
QR codes are a convenient and powerful tool, but they also present security risks that users and businesses must take seriously. Quishing attacks, malicious redirects, and physical tampering are real and growing threats. By understanding these risks and implementing appropriate protective measures, both users and businesses can safely benefit from QR code technology. Use the QR Code Generator to create secure codes for your campaigns and the QR Code Reader to safely inspect codes before scanning them. For more on QR code best practices, refer to our QR Code Best Practices guide.