Understanding QR code phishing attacks

QR code phishing attacks, also known as 'quishing,' are cyberattacks in which criminals use malicious QR codes to direct victims to fake websites designed to steal credentials, personal information, or install malware.

What makes quishing effective is how it uses a vulnerability in modern security systems. Unlike traditional phishing emails that security filters can scan for malicious links, QR codes are images. They slip past email security systems undetected because automated tools cannot easily interpret the encoded URL within them. By the time a victim scans the code with their personal device, they've already bypassed the organization's security infrastructure.

Researchers Fouad Trad and Ali Chehab from the American University of Beirut highlight this challenge, noting QR codes' "opaque nature, making it difficult for users to assess their legitimacy before scanning." Furthermore, while users can hover over links and scrutinize URLs in emails, QR codes provide no such opportunity for inspection until after they've been scanned, creating a blind spot that attackers exploit.

How QR code phishing works

Cybercriminals create fraudulent QR codes that direct victims to malicious websites designed to steal credentials, financial information, or install malware. These codes are distributed through various channels including phishing emails, physical stickers placed over legitimate QR codes, direct mail campaigns, or even fake parking tickets.

The versatility of QR codes is more than URL encoding. As Trad and Chehab explain, QR codes can encode "Wi-Fi credentials, trigger app deep links, initiate cryptocurrency transactions, add contact details," along with geolocation data, SMS messages, and calendar events.

According to Microsoft Security's Defender Experts team, these attacks have three primary intents;

• Credential theft through adversary-in-the-middle (AiTM) techniques where session tokens are stolen in real-time,
• Malware distribution that automatically downloads malicious software onto mobile devices, and
• Financial theft where users are tricked into making fake payments or surrendering banking credentials.

The Federal Trade Commission has warned consumers about scam tactics, noting that fraudsters deliberately try to create a sense of urgency to pressure victims into scanning codes without proper scrutiny. According to the FTC, common pretexts include false claims about undelivered packages requiring rescheduling, fabricated account problems needing confirmation, or invented suspicious activity requiring immediate password changes.

Furthermore, attackers now create pixel-perfect replicas of legitimate login pages, complete with proper branding, SSL certificates, and convincing domain names that differ from authentic URLs by only a character or two. Microsoft researchers note that attackers often impersonate IT support, HR departments, payroll teams, or administrators to create urgency and manipulate victims into acting without proper verification.

A real-world case: The 2024-2025 credential harvesting campaign

In 2025 researchers uncovered a credential harvesting campaign that had been operating since 2024. This campaign showed how advanced and targeted these attacks have become, combining multiple evasion techniques to bypass both human scrutiny and automated security systems.

The attack began when victims received emails containing PDF attachments impersonating trusted document-signing services like Adobe Acrobat Sign and DocuSign, or appearing to be company payroll update documents. These PDFs had company logos, HR contact information, and realistic dates, prompting recipients to sign what appeared to be an official document. Rather than containing a clickable link that security systems could easily scan, the PDF embedded a QR code that victims were instructed to scan with their smartphones.

Furthermore, the attackers hid their malicious destinations behind redirection mechanisms and exploited open redirects from trusted websites, making their links appear legitimate at first glance. Additionally, they employed Cloudflare Turnstile for human verification, which served the dual purpose of making their fake login pages appear more authentic while preventing security crawlers from analyzing the malicious sites.

Researchers discovered that attackers were targeting specific victims with customized fake login pages designed to reject random credentials while only accepting those tied to their intended targets. This level of personalization suggested that threat actors had conducted pre-attack reconnaissance, gathering information about their victims before launching the campaign.

Attacks spread across the United States and Europe, impacting organizations in the medical, automotive, education, energy, and financial sectors. The attackers' primary goal was harvesting Microsoft 365 credentials, which they accomplished by directing victims to fake login pages that perfectly mimicked the legitimate Microsoft authentication interface.

Why mobile devices make perfect targets

When users scan a QR code with their smartphone, they're often taken out of their organization's secure network environment. Mobile screens are smaller, making it harder to scrutinize URLs before entering sensitive information.

Furthermore, many mobile users don't have the same level of security software protection on their personal devices as they do on company computers. This creates a blind spot in organizational cybersecurity strategies that have traditionally focused on protecting desktop endpoints and network perimeters. Microsoft's security research speaks of this challenge, noting that users typically scan QR codes on personal non-managed mobile devices that fall outside the scope of enterprise security protections like Microsoft Defender.

The scale of the threat

Microsoft Security researchers have observed that these campaigns grew from 10% to 30% of total phishing campaigns in recent months. These attacks are often massive in scale, with individual campaigns targeting more than 1,000 users within a single organization. Before launching these large-scale operations, attackers conduct reconnaissance through social media to gather target email addresses and preferences, allowing them to craft personalized campaigns that are more likely to succeed.

In 2022, the FBI's Internet Crime Complaint Center found that phishing attacks were "the number one reported cyber crime, with over 300,000 complaints," according to the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HC3). The financial impact is noted in Paubox's 2025 mid-year email breach data report, the average cost of a healthcare breach is now $11 million, the highest of any industry for the 14th consecutive year. Making matters worse, the same report found that IT leaders estimate only 5% of known phishing attacks are actually reported by employees to their security teams, leaving organizations unaware of the scope of threats they face.

The personalization extends to campaign subjects, where attackers often include the recipient's first name, last name, or email address to create a sense of legitimacy. Microsoft researchers have identified patterns where campaigns use identical opening or closing words in subject lines but personalize the middle portion for each recipient, such as "Alex, you have an undelivered voice message" or "Your MFA update is pending, Bob."

Protecting your organization

The FTC recommends several practical safeguards for consumers:

• Inspect before you scan: When encountering a QR code in an unexpected location, examine the URL carefully before opening it. Look for misspellings or subtle character substitutions that indicate a spoofed website designed to mimic a legitimate one.
• Verify unexpected requests: Never scan QR codes from unsolicited emails or text messages. If a message appears to come from a legitimate company, contact them directly using a phone number or website you know is authentic rather than relying on information in the suspicious message.
• Maintain device security: Keep your smartphone's operating system updated to protect against known vulnerabilities that hackers exploit. Secure your online accounts with strong, unique passwords and enable multi-factor authentication wherever possible.

The FBI provides additional guidance for avoiding QR code scams:

• Do not scan randomly found QR codes
• Be suspicious if a scanned site requests passwords or login information
• Verify the legitimacy of QR codes received via email or text by contacting the sender directly
• Check for signs of tampering—if a code appears to have been placed over another, do not use it

Solutions like Paubox Inbound Email Security offer AI-powered inbound email security that automatically blocks phishing attempts and display name spoofing, reducing reliance on staff to identify threats.

The HC3 white paper provides a defense-in-depth strategy, recommending that organizations configure mail servers to filter unwanted emails or integrate spam gateway filters to strip away malicious traffic. Endpoint security software should be deployed and frequently updated on every user's system to detect malware as it executes, even if a phishing email bypasses initial filters.

Microsoft recommends implementing conditional access policies that evaluate sign-in requests using identity-driven signals like device compliance status, IP address location, and risk-based assessments. Organizations should also monitor for suspicious sign-in patterns, those originating from non-managed, non-compliant devices with anomalous characteristics.

FAQs

Can QR codes contain viruses or malware directly?

No, QR codes themselves cannot contain viruses but they can direct you to websites that automatically download malware to your device.

Can businesses be held legally liable if their customers fall victim to QR code scams on their premises?

While liability varies by jurisdiction, businesses could face legal exposure if they fail to monitor their premises for tampered QR codes.

Can I report suspicious QR codes to authorities?

Yes, you can report QR code scams to the FBI's Internet Crime Complaint Center (IC3) at ic3.gov, the FTC at ReportFraud.ftc.gov, or your local law enforcement.