QR Code Phishing Attacks Steal Credentials and Deliver Malware
Key Takeaways Cybercriminals are increasingly leveraging QR codes for phishing, a tactic dubbed “quishing,” which saw a fivefold increase in detections between August and November 2025....
Key Takeaways
- Cybercriminals are increasingly leveraging QR codes for phishing, a tactic dubbed “quishing,” which saw a fivefold increase in detections between August and November 2025.
- Quishing attacks bypass traditional email security filters by embedding malicious URLs within image-based QR codes, making the payload invisible to text-based scanners.
- Threat actors deploy malicious QR codes in both physical environments (e.g., parking meters, restaurant menus) and digital channels (email, PDF attachments), leading to credential theft, malware delivery, and even MFA bypass.
- High-value targets, including executives and critical infrastructure sectors like energy and financial services, are disproportionately affected.
- Effective defense requires a multi-layered approach, including AI-powered email security with optical character recognition (OCR), phishing-resistant MFA, and comprehensive user awareness training.
The Rise of “Quishing”: A New Frontier in Phishing Attacks
The ubiquitous QR code, a seemingly innocuous pixelated square used for everything from restaurant menus to payment processing, has emerged as a potent weapon in the arsenal of cybercriminals. This new wave of attack, dubbed “quishing” (QR + phishing), exploits the inherent trust and convenience associated with QR codes, allowing malicious links and malware to bypass sophisticated enterprise email security systems with alarming regularity.
Table Of Content
- Key Takeaways
- The Rise of “Quishing”: A New Frontier in Phishing Attacks
- Understanding the Quishing Threat
- How Malicious QR Codes Operate
- The Scale of the Threat: Key Statistics
- How the Attack Works: Step-by-Step
- Real-World Attack Scenarios
- Scenario 1: The Parking Meter QR Code Scam
- Scenario 2: Mall / Restaurant / Retail QR Code Swap
- Scenario 3: Email Quishing Bypassing Security Gateways
- Scenario 4: QR Codes Delivering Mobile Malware
- Scenario 5: AitM + QR Attack Bypassing MFA
- Attack Techniques Used to Evade Detection
- What Attackers Steal: The Full Payload Map
- Red Flags: How to Spot a Malicious QR Code
- In Physical Locations
- In Emails
- Industries Most Targeted by Quishing
- Immediate Response: If You’ve Already Scanned a Malicious QR Code
- What You Should Do
- For Individual Users
- For Organizations and IT Teams
Data indicates a dramatic surge in quishing incidents. Between August and November 2025, detections of malicious QR code phishing emails escalated fivefold, from 46,969 to 249,723 incidents. The first half of 2025 alone saw over 4.2 million QR code phishing threats identified. Microsoft reported over 15,000 daily QR-code-bearing phishing emails targeting the education sector, underscoring the widespread nature of this evolving threat.
Understanding the Quishing Threat
How Malicious QR Codes Operate
At its core, quishing involves embedding a malicious URL within a QR code image. When a user scans the code with their smartphone camera, the device decodes the hidden URL and automatically opens a fraudulent website in the browser. These spoofed sites are meticulously designed to mimic legitimate platforms, aiming to steal sensitive information such as credentials, payment card details, or to facilitate the download of malware.
A critical distinction of quishing lies in its evasion technique. Unlike traditional phishing links, where users can preview the URL by hovering over it, a QR code conceals its destination until after it has been scanned. The malicious payload, encased within an image, is entirely invisible to the human eye and, more importantly, unreadable by most conventional email security filters. Traditional gateways are engineered to scrutinize text, parse HTML, and evaluate embedded URLs. When faced with a QR code, these systems perceive only an image file (e.g., JPEG or PNG), fail to detect any suspicious links, and consequently deliver the message to the recipient’s inbox. This represents an architectural limitation, not a configuration flaw.
The effectiveness of this method is evident in user behavior statistics:
- A significant 73% of users scan QR codes without first verifying the destination, as highlighted by Acronis research.
- Only 36% of QR phishing incidents are accurately identified and reported by recipients.
- The average time for a user to click on a phishing payload is a mere 21 seconds.
The Scale of the Threat: Key Statistics
The proliferation of quishing is supported by compelling data from various cybersecurity firms:
- QR Phishing Emails (Aug–Nov 2025): Kaspersky observed a 5x surge, from 46,969 to 249,723 incidents.
- Total QR Phishing Threats (Early 2025): Keepnet Labs identified over 4.2 million threats.
- Year-over-Year Growth (2026): Microsoft reported a 146% increase in QR code phishing.
- Share of Phishing Attacks (2025): QR codes constituted 12% of all phishing attacks, according to Keepnet / Linkcpa.
- Mobile Targeting: 68% of QR attacks specifically target mobile users (Keepnet Labs).
- Primary Goal: Approximately 89-90% of QR attacks aim for credential theft (Cofense / Keepnet).
- Executive Targeting: Executives are targeted 40-42 times more frequently than average employees (Recorded Future).
- Malicious Microsoft 365 Docs: Barracuda Networks found that 83% of malicious Microsoft 365 documents with QR codes.
- Unique Malicious QR Codes (2025): ZenSec detected 1.7 million unique malicious QR codes in attachments.
- Image-Based Phishing Increase (Into 2025): The Anti-Phishing Working Group (APWG) reported a 400% increase.
- Users Scanning Without Verification: 73% (KnowBe4 / NordVPN).
- Brands Targeted (Q2 2025): 1,642 brands were targeted by QR phishing (Mimecast / APWG).
How the Attack Works: Step-by-Step
Understanding the anatomy of a quishing attack is crucial for effective defense.
- Phase 1 – Preparation: Attackers generate a malicious QR code that links to a credential-harvesting site or a malware download. They then create a convincing, spoofed website that replicates a legitimate login page. Often, the malicious URL is routed through trusted redirect services to obscure its true destination.
- Phase 2 – Delivery: The malicious QR code is delivered to targets through various channels, including email (either embedded directly or within PDF attachments), physical stickers placed on public infrastructure like parking meters or restaurant tables, traditional postal mail, or popular messaging applications.
- Phase 3 – The Scan: A critical aspect of quishing is its ability to bypass corporate security perimeters. When a victim scans the QR code, they typically use their personal mobile phone. This action moves the interaction from a managed corporate desktop, protected by endpoint detection, web proxies, and DNS filtering, to an unmanaged personal smartphone lacking these crucial controls.
- Phase 4 – Theft: Upon scanning, the victim is directed to the malicious site where they are prompted to enter sensitive information, such as Microsoft 365 credentials, banking details, or credit card numbers. Alternatively, the site might trick them into downloading malware disguised as a legitimate application.
- Phase 5 – Post-Compromise: Following a successful compromise, attackers can gain unauthorized access to corporate email accounts, launch Business Email Compromise (BEC) attacks, sell stolen session tokens on dark web marketplaces, or deploy ransomware across the victim’s network.
Real-World Attack Scenarios
Scenario 1: The Parking Meter QR Code Scam
Scammers meticulously craft professional-looking QR code stickers and affix them directly over legitimate codes on public parking meters. These stickers are often laminated to appear official and designed to seamlessly blend with the meter’s existing design.
Impact: Drivers, believing they are using the official payment system, scan the fake code. This redirects them to a spoofed payment site (e.g., “poybyphone[.]com” instead of “paybyphone[.]com”). Victims then enter their name, vehicle details, and full payment card number, which is directly transmitted to the attacker.
Documented Cases: In Austin, Texas, dozens of city parking meters were targeted with fake QR code stickers, leading drivers to fraudulent payment sites and compromising credit card details. Similar campaigns have impacted ParkByPhone meters across multiple cities in the UK.
Red Flag: Always inspect QR codes on public infrastructure. Genuine codes are typically integrated into the panel design, not applied as an overlay sticker.
Scenario 2: Mall / Restaurant / Retail QR Code Swap
Attackers physically infiltrate retail environments to replace or overlay legitimate QR codes with their malicious versions. For instance, restaurant patrons scanning what they believe is a menu QR code might instead be directed to a fake coupon redemption page that requests payment card “verification.” Some variants trick users into downloading trojanized loyalty applications.
This tactic thrives on the user’s relaxed state within a trusted environment, where entering card details via a QR-linked page feels like a natural extension of an ongoing transaction.
Documented Case: One incident in 2025 involved fake QR code stickers placed over legitimate codes at 200 store locations, resulting in a 15% drop in legitimate scans and an estimated $2.3 million in damage control costs.
Scenario 3: Email Quishing Bypassing Security Gateways
This represents the predominant enterprise attack vector. Attackers embed QR codes within the body of phishing emails or inside attached PDF/DOCX files. The email’s subject line often impersonates critical internal departments like HR, IT, payroll, or compliance.
Common Subject Lines Observed:
- “Action Required: Verify Your Microsoft Account”
- “Your 2025 Benefits Enrollment Scan QR to Access”
- “Payroll Update Confirm Details via QR”
- “Invoice #[XXXX] Review and Approve”
Evasion Mechanism: The QR code, being an image file, is perceived by email gateways as a benign JPEG or PNG. Since no suspicious URLs are directly present in the text or HTML, the gateway marks the email as clean and delivers it. The victim then scans the code with their personal phone, entirely circumventing the corporate security perimeter.
Case Study (Sophos): A documented campaign utilized subject lines such as “2024 financial plans,” “benefits open enrollment,” and “dividend payout.” The QR codes were embedded within PDF attachments, a technique designed to defeat even advanced email gateway image scanning.
Case Study (Corporate Breach): A sustainability platform in South Asia experienced a full Microsoft 365 compromise after employees received a “bonus notification” email containing a malicious QR code. Scanning it led to a spoofed login page, resulting in credential theft. Post-compromise, attackers established invisible email forwarding rules to continuously exfiltrate communications.
Nation-State Example: The FBI issued an IC3 Flash Alert in January 2026, warning that North Korea’s Kimsuky APT group is employing malicious QR codes in spear-phishing campaigns. These campaigns target academics, government employees, think tanks, and defense contractors, redirecting victims to mobile-optimized credential-harvesting pages and collecting device fingerprint data.
Scenario 4: QR Codes Delivering Mobile Malware
Some quishing attacks directly leverage QR codes as a malware delivery mechanism. Scanning the code initiates the download of a malicious Android Package Kit (APK) disguised as a legitimate application, such as a logistics app, delivery tracker, utility payment app, or a security update for mobile devices.
Kimsuky Android RAT Campaign (Dec 2025 – Jan 2026): The Kimsuky APT group distributed trojanized Android APKs via QR codes hosted on phishing websites. These sites instructed users to “Open this page on your phone scan the QR code.” Upon installing the “app,” Kimsuky gained remote access to the device’s camera, microphone, contacts, and SMS messages, enabling extensive surveillance and data exfiltration.
Scenario 5: AitM + QR Attack Bypassing MFA
This sophisticated technique combines quishing with Adversary-in-the-Middle (AitM) attacks to defeat Multi-Factor Authentication (MFA) and bypass security operations centers entirely:
| Step | Action |
|---|---|
| 1 | Victim scans QR code in phishing email |
| 2 | Redirected to attacker’s reverse proxy server (between victim and real Microsoft/Google) |
| 3 | Victim enters real credentials forwarded live to the real server |
| 4 | Microsoft sends legitimate MFA push to the victim’s phone |
| 5 | Victim approves MFA, believing it’s a real login |
| 6 | Attacker captures the fully-authenticated session token including MFA |
| 7 | Attacker accesses the account without triggering MFA again |
Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA and EvilProxy now incorporate this capability, significantly lowering the technical barrier for attackers to execute such advanced exploits.
Attack Techniques Used to Evade Detection
| Evasion Technique | Description | Bypass Goal |
|---|---|---|
| QR in PDF attachment | QR code embedded inside a PDF, not the email body | Defeats email body image scanning |
| ASCII-art QR codes | QR rendered using ASCII/Unicode text characters | Defeats image-based detection |
| “Fancy” QR with logos | Brand logos embedded inside custom QR designs | Disrupts pixel-pattern analysis |
| Blob URI redirects | Malicious page rendered from browser-generated data object | Avoids server-hosted URL reputation checks |
| Legitimate redirect chains | Routes through Google, Bitly, Cloudflare before malicious page | Passes URL blocklists |
| Split-image / multipart MIME | QR split across fragments assembled by email client | Defeats single-image scanning |
| Deep link / in-app URLs | Opens inside Telegram; WeChat bypasses mobile browser | Avoids mobile browser URL inspection |
| Dynamic QR codes | Destination URL changes after gateway check | Defeats time-of-scan analysis |
| CAPTCHA-gated landing pages | Protected by Cloudflare Turnstile or reCAPTCHA | Defeats automated sandbox analysis |
What Attackers Steal: The Full Payload Map
| Payload Category | What Is Captured | Typical Impact |
|---|---|---|
| Corporate Credentials | Microsoft 365, Google Workspace, Okta, VPN logins | Account takeover, data breach, ransomware |
| Payment Card Details | Card number, CVV, expiry, billing address | Financial fraud, card cloning |
| Banking Credentials | Online banking username, password, PIN | Direct fund transfers |
| Session Tokens / Cookies | Authenticated session after MFA | MFA bypass, persistent unauthorized access |
| PII | Name, SSN/Aadhaar, address, date of birth | Identity theft, credit fraud |
| UPI / Mobile Payment Data | UPI PIN, transaction confirmation codes | Unauthorized UPI transfers (India) |
| Mobile Device Access | Camera, microphone, contacts, SMS (via APK) | Espionage, OTP interception |
| Corporate Secrets | Email contents, documents | IP theft, BEC fraud |
Red Flags: How to Spot a Malicious QR Code
In Physical Locations
| Warning Sign | What to Look For |
|---|---|
| Sticker overlay | QR on a sticker placed on top of the original surface |
| Misaligned placement | Code positioned in an unusual spot |
| Inconsistent branding | Different font, colors, or logo than surrounding signage |
| Brand-new code on worn signage | Fresh pristine sticker on aged signage |
| Suspicious URL preview | Domain with typos, hyphens, random strings |
| Requests for unnecessary data | Asking for SSN, full card + CVV together |
| Urgent call-to-action | “Scan now or lose access” language |
In Emails
| Warning Sign | What to Look For |
|---|---|
| QR instead of a link | Legitimate companies rarely replace links with QR codes |
| External sender domain | Doesn’t match the company being impersonated |
| Urgency language | “Verify within 24 hours,” “Account will be suspended” |
| QR inside a PDF attachment | Major red flag legitimate services don’t do this |
| Unsolicited HR/IT/payroll theme | Benefits enrollment or MFA reset from unexpected senders |
| Generic salutation | “Dear User” instead of your actual name |
Industries Most Targeted by Quishing
| Industry | Risk Level | Primary Attack Goal |
|---|---|---|
| Energy | Critical (29% of malware QR emails) | Operational disruption, credential theft |
| Financial Services | Critical | Banking credentials, payment fraud |
| Healthcare | Critical | Patient data, ransomware |
| Technology | High | Intellectual property, SaaS access |
| Manufacturing | High | OT/ICS access, ransomware |
| Education | High (15,000+ daily phishing QR emails) | Staff/student credential theft |
| Retail | High (highest employee miss rate) | Customer payment data |
| Government / Defense | High | Espionage, classified data |
Immediate Response: If You’ve Already Scanned a Malicious QR Code
- Do NOT enter credentials or payment data; close the browser tab immediately.
- Disconnect from Wi-Fi and mobile data if you suspect malware may have been downloaded.
- Change your passwords for any impersonated accounts using a different, trusted device.
- Contact your bank if card details were entered; request an immediate card block.
- Revoke all active sessions (e.g., for Microsoft 365/Google: navigate to Account Security and sign out all devices).
- Run a mobile security scan using a reputable app like Malwarebytes, Bitdefender, or your device’s built-in security features.
- Report the incident to your national cybercrime authority.
| Country | Reporting Channel |
|---|---|
| United States | FBI IC3 at ic3.gov; FTC at reportfraud.ftc.gov |
| United Kingdom | Action Fraud at actionfraud.police.uk |
| India | cybercrime.gov.in or call 1930 |
| EU | ENISA or national CERT; local police |
| Australia | cyber.gov.au / ReportCyber portal |
What You Should Do
For Individual Users
- Preview the URL: Before tapping, always check the decoded URL displayed by your camera or scanner app. Look for typos, IP addresses instead of legitimate domain names, or suspicious subdomains.
- Avoid Unknown Sources: Never scan QR codes from unsolicited emails, texts, or WhatsApp messages.
- Physical Inspection: In public places, physically inspect QR codes for sticker overlays or signs of tampering before scanning.
- Use Official Apps: For services like parking, food ordering, or payments, use the vendor’s official mobile application instead of scanning a QR code.
- UPI Users (India): Remember, you should never need to scan a QR code to receive money. Any request to do so is a scam.
- Enable Phishing-Resistant MFA: Opt for FIDO2/passkeys. Standard SMS OTP can be bypassed by advanced AitM attacks.
- Keep Software Updated: Regularly update your phone’s operating system and applications to patch known vulnerabilities.
- Install Mobile Security: Utilize mobile security applications with QR scanning protection, such as Sophos Intercept X Mobile or Zimperium MTD.
For Organizations and IT Teams
| Control | Description |
|---|---|
| AI-powered email security with OCR | Deploy platforms equipped with image recognition capabilities that can decode QR codes embedded in email bodies AND PDF attachments. |
| Phishing-resistant MFA | Enforce FIDO2/hardware keys to effectively defeat AitM session token theft. |
| Conditional Access policies | Implement policies to block unmanaged devices from accessing sensitive corporate resources. |
| MDM / Mobile Device Management | Restrict QR scanning to approved applications on enrolled corporate devices. |
| Quishing-specific security training | Conduct targeted QR phishing simulations; this has been shown to improve detection rates by approximately 87% within three months. |
| DMARC / DKIM / SPF | Harden email authentication protocols to prevent sender spoofing and increase email trustworthiness. |
| Short session lifetimes | Configure sessions to expire quickly and utilize continuous session validation with device-bound tokens. |
| Zero Trust architecture | Implement a Zero Trust framework to continuously validate sessions based on device, location, and user behavior. |
| Physical QR code audits | Train staff to regularly inspect and test all QR codes present on company premises. |
| Incident response playbook | Develop and include specific steps for QR-related incidents, such as session revocation, credential resets, and device isolation. |
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.