^{Photo: PYMNTS.com}

The Rising Threat of ‘Quishing’: How QR Code Scams Are Targeting Millions

QR codes have rapidly become an essential part of daily life — from menus and boarding passes to parking meters and bill payments. However, their ubiquity has opened the door for a new wave of cybercrime known as “quishing” — phishing scams that use malicious QR codes to trick unsuspecting users into handing over sensitive data or downloading malware.

According to a recent study by NordVPN, nearly 73% of Americans scan QR codes without verifying their source, resulting in over 26 million people being directed to harmful websites. This alarming statistic underscores just how widespread and dangerous these scams have become.

Government and Local Authorities Sound the Alarm

Earlier this year, the Federal Trade Commission (FTC) issued a stern warning about QR codes on unexpected packages that could lead users to phishing sites designed to steal credit card information, usernames, and passwords, or even install malware on their devices.

Local governments have also stepped in. For instance, New York City’s Department of Transportation cautioned the public after scammers began placing fake QR code stickers on parking meters, diverting payments to fraudulent accounts. Similarly, warnings have come from utility companies in Hawaii and other states about QR codes embedded in fake bills or payment notices.

Why QR Codes Are Perfect for Cybercriminals

Cybersecurity experts highlight that QR codes are deceptively simple tools, which makes them an attractive option for attackers.

“Because they are everywhere — gas pumps, yard signs, TV ads — QR codes are useful but also potentially dangerous,” says Dustin Brewer, senior director of cybersecurity services at BlueVoyant.

The scam works by placing counterfeit QR codes in locations where victims are likely to be in a hurry, such as parking lots or bill payment kiosks. The urgency makes people less likely to double-check the code’s authenticity.

“Crooks rely on people being rushed or needing to act quickly,” explains Gaurav Sharma, electrical engineering professor at the University of Rochester, who studies QR code vulnerabilities.

QR Code Scams Surging as Traditional Phishing Faces Barriers

The rise in QR code scams also reflects the shifting landscape of cyber threats. Enhanced security measures have made traditional email phishing less effective, pushing scammers to explore alternatives.

A report from cybersecurity firm KeepNet Labs revealed that 26% of all malicious links are now delivered via QR codes, confirming their growing popularity among attackers.

Innovations and Solutions: Fighting Back Against Quishing

To combat the threat, Sharma is developing a Self-Authenticating Dual-Modulated QR code (SDMQR), designed to embed security features preventing tampering and fraud. However, widespread adoption depends on cooperation from tech giants like Google and Microsoft, who control camera software and infrastructure.

Meanwhile, institutions like the Children’s Museum of Indianapolis have upgraded their QR codes with custom designs and logos to help users distinguish genuine codes from counterfeit ones. They also perform regular checks to prevent tampering.

Trust Issues Among Users and Device Differences

Research by Malwarebytes shows that iPhone users tend to trust their devices more than Android users, potentially making them more vulnerable to quishing. Approximately 70% of iPhone owners have scanned QR codes to complete purchases, compared to 63% of Android users.

This higher confidence can lead to less vigilance, as many iPhone users do not use additional security measures like antivirus software, increasing their risk of exposure.

How to Protect Yourself from QR Code Scams

Experts emphasize vigilance as the best defense. Avoid scanning unexpected or suspicious QR codes, especially those found on unsolicited mail or unofficial signage. Look for URLs displayed upon scanning and verify that they match the expected website before entering any personal information.

“Attackers can easily print fake QR codes over legitimate ones, making it nearly impossible for average users to detect,” warns Brewer.

The Bigger Picture: QR Codes as a Cyber Threat in Plain Sight

Nation-state hackers have even used QR codes to infiltrate critical systems, distributing malware such as remote access trojans (RATs) to gain covert control over devices. This illustrates how QR code vulnerabilities extend beyond everyday scams to national security risks.

Rob Lee, chief of research at the SANS Institute, points out that the lack of built-in security in QR codes makes them an ideal low-effort, high-reward tool for cybercriminals.

“QR codes were designed for convenience, not security, which is why scammers have quickly adopted them,” Lee notes.

‍

As QR codes become increasingly woven into daily life, their misuse in “quishing” scams represents a growing cyber threat that demands heightened awareness and stronger protective measures. Consumers, businesses, and tech companies alike must stay vigilant and proactive to combat this evolving challenge.

If you frequently use QR codes, always double-check the source before scanning, avoid codes on unsolicited mail or suspicious locations, and consider cybersecurity tools to help detect malicious activity.

‍