Why QR Codes Are a Growing Security Target
QR codes have become deeply embedded in everyday life — from restaurant menus and boarding passes to contactless payments and vaccine certificates. Their convenience, however, has made them an attractive vehicle for cybercriminals. Unlike a hyperlink visible in a browser bar, a QR code's destination is entirely opaque until scanned. That single characteristic is the root of most QR-related security threats. The FBI, Europol, and national cybersecurity agencies have all issued formal warnings about the rising misuse of QR codes in social engineering and fraud campaigns.
Understanding the specific threat categories is the first step toward protecting yourself, your customers, and your organisation.
QR Phishing ("Quishing") Attacks
Quishing — a portmanteau of "QR" and "phishing" — is the fastest-growing QR threat vector. Attackers embed malicious QR codes inside phishing emails, printed leaflets, or fake notifications. When the victim scans the code, they are redirected to a credential-harvesting site that mimics a trusted service such as Microsoft 365, a banking portal, or a parcel-delivery tracking page.
Quishing is particularly dangerous because most enterprise email security gateways are trained to analyse URLs and attachments, not image-embedded QR codes. As a result, quishing emails frequently bypass spam and phishing filters that would otherwise catch a naked malicious link. Always verify the sender and expected context before scanning any QR code received via email.
Malware Delivery via QR Codes
A QR code can encode any URL, including deep links that trigger automatic app downloads, initiate Bluetooth or Wi-Fi connections, or launch platform-specific URI schemes. Attackers exploit these capabilities to push malicious APK files on Android, redirect to drive-by-download pages, or abuse Universal Links on iOS to open rogue applications. Once installed, malware can harvest banking credentials, intercept SMS-based two-factor authentication codes, or enrol the device in a botnet.
The risk is elevated in regions where sideloading (installing apps outside official stores) is common or where older operating systems lack modern security sandboxing.
Fake Payment QR Code Fraud
Payment QR codes displayed in shops, food stalls, and fundraising drives are high-value targets. Criminals print fraudulent codes on stickers and place them over legitimate payment codes. The payer believes they are sending money to the vendor but the funds go directly to the attacker's account. This scam has been widely documented across South and Southeast Asia, but is increasingly reported in Europe and North America as contactless QR payments grow.
Businesses accepting QR payments should inspect their displayed codes regularly, apply tamper-evident seals around printed materials, and encourage customers to verify the payee name shown on their banking app before confirming any transaction.
Stalkerware and Tracking Through QR Codes
Dynamic QR codes log a scan event every time someone scans them, capturing the scanner's IP address, device type, operating system, and approximate geolocation derived from IP data. While legitimate analytics platforms use this data transparently for marketing measurement, the same mechanism can be weaponised. An abusive partner, unscrupulous employer, or stalker can generate a dynamic QR code, place it in a location the target is likely to visit, and monitor scan activity in real time to infer the victim's movements.
If you receive an unsolicited QR code — particularly inside a greeting card, gift, or personal message — treat it with caution. Use a QR scanner that previews the destination URL before opening it, and be aware that simply scanning the code may expose your network IP.
Physical Tampering: Overlaying Malicious QR Codes
Sticker-based tampering is not limited to payment terminals. Attackers have been found covering legitimate codes at parking metres, EV charging stations, public transport kiosks, and tourist information boards. The original, genuine code is hidden under a professionally printed overlay that is difficult to detect visually. Before scanning any QR code in a public location, check whether the surface around it appears to have been altered — look for raised edges, air bubbles, or misalignment with surrounding artwork.
How Organisations Should Manage QR Code Risk
Organisations that deploy QR codes in customer-facing or internal contexts should adopt a formal QR governance policy. Key controls include:
- Centralised code generation: Only allow approved tools to create QR codes that route through monitored, branded short domains.
- Regular physical audits: Inspect all publicly displayed QR codes weekly for signs of tampering, especially in high-traffic or unattended locations.
- Destination whitelisting: For internal use, configure mobile device management (MDM) policies to block QR-triggered navigation to domains outside an approved whitelist.
- Staff training: Educate employees to recognise quishing emails and never scan a QR code sent unexpectedly by an external party.
- Incident response: Include QR-based compromise scenarios in your incident response playbook, covering both phishing and payment fraud paths.
Safe QR Practices for Consumers
Individuals can significantly reduce their exposure by following a short checklist every time they scan a QR code in an unfamiliar context:
- Use your device's built-in camera or a reputable scanner app that previews the URL before loading it.
- Check that the destination URL uses HTTPS and that the domain matches the brand shown in the surrounding context.
- Never enter login credentials or payment details on a page reached solely via a QR code without independent verification.
- Keep your phone's operating system and apps updated so security patches are current.
- Enable two-factor authentication on all financial and email accounts to limit the damage if credentials are ever harvested.
- If a scanned QR code triggers an unexpected app download prompt, decline and report the code to the venue or organisation responsible for the signage.
Conclusion
QR codes are a genuinely useful technology, but their opacity and ubiquity make them a compelling tool for attackers. The threats — quishing, malware delivery, payment fraud, stalkerware, and physical tampering — are diverse, but they all share a common weakness: the victim cannot see the destination before they commit to the scan. Awareness, scrutiny, and a few practical habits dramatically reduce the risk. Organisations deploying QR codes have a duty of care to generate them responsibly, monitor them in the field, and respond swiftly when abuse is detected.
Ready to create QR codes you can trust and monitor safely? Try QRGenPlus free — our platform gives you full destination control, branded short domains, and real-time scan analytics so you always know exactly where your codes are pointing.