Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Foxit PDF Reader & Editor Patches 20 Critical RCE Flaws
July 9, 2026
AssuranceAmerica Data Breach Exposes 6.9 Million Driver’s Licenses and Personal Data
July 9, 2026
GitLab Patches 8 Critical Vulnerabilities in Community and Enterprise Editions
July 9, 2026
Home/CyberSecurity News/QR Code Phishing Attacks Steal Credentials and Deliver Malware
CyberSecurity News

QR Code Phishing Attacks Steal Credentials and Deliver Malware

Key Takeaways Cybercriminals are increasingly leveraging QR codes for phishing, a tactic dubbed “quishing,” which saw a fivefold increase in detections between August and November 2025....

Jennifer sherman
Jennifer sherman
July 9, 2026 11 Min Read
4 0

Key Takeaways

  • Cybercriminals are increasingly leveraging QR codes for phishing, a tactic dubbed “quishing,” which saw a fivefold increase in detections between August and November 2025.
  • Quishing attacks bypass traditional email security filters by embedding malicious URLs within image-based QR codes, making the payload invisible to text-based scanners.
  • Threat actors deploy malicious QR codes in both physical environments (e.g., parking meters, restaurant menus) and digital channels (email, PDF attachments), leading to credential theft, malware delivery, and even MFA bypass.
  • High-value targets, including executives and critical infrastructure sectors like energy and financial services, are disproportionately affected.
  • Effective defense requires a multi-layered approach, including AI-powered email security with optical character recognition (OCR), phishing-resistant MFA, and comprehensive user awareness training.

The Rise of “Quishing”: A New Frontier in Phishing Attacks

The ubiquitous QR code, a seemingly innocuous pixelated square used for everything from restaurant menus to payment processing, has emerged as a potent weapon in the arsenal of cybercriminals. This new wave of attack, dubbed “quishing” (QR + phishing), exploits the inherent trust and convenience associated with QR codes, allowing malicious links and malware to bypass sophisticated enterprise email security systems with alarming regularity.

Table Of Content

  • Key Takeaways
  • The Rise of “Quishing”: A New Frontier in Phishing Attacks
  • Understanding the Quishing Threat
  • How Malicious QR Codes Operate
  • The Scale of the Threat: Key Statistics
  • How the Attack Works: Step-by-Step
  • Real-World Attack Scenarios
  • Scenario 1: The Parking Meter QR Code Scam
  • Scenario 2: Mall / Restaurant / Retail QR Code Swap
  • Scenario 3: Email Quishing Bypassing Security Gateways
  • Scenario 4: QR Codes Delivering Mobile Malware
  • Scenario 5: AitM + QR Attack Bypassing MFA
  • Attack Techniques Used to Evade Detection
  • What Attackers Steal: The Full Payload Map
  • Red Flags: How to Spot a Malicious QR Code
  • In Physical Locations
  • In Emails
  • Industries Most Targeted by Quishing
  • Immediate Response: If You’ve Already Scanned a Malicious QR Code
  • What You Should Do
  • For Individual Users
  • For Organizations and IT Teams

Data indicates a dramatic surge in quishing incidents. Between August and November 2025, detections of malicious QR code phishing emails escalated fivefold, from 46,969 to 249,723 incidents. The first half of 2025 alone saw over 4.2 million QR code phishing threats identified. Microsoft reported over 15,000 daily QR-code-bearing phishing emails targeting the education sector, underscoring the widespread nature of this evolving threat.

Understanding the Quishing Threat

How Malicious QR Codes Operate

At its core, quishing involves embedding a malicious URL within a QR code image. When a user scans the code with their smartphone camera, the device decodes the hidden URL and automatically opens a fraudulent website in the browser. These spoofed sites are meticulously designed to mimic legitimate platforms, aiming to steal sensitive information such as credentials, payment card details, or to facilitate the download of malware.

A critical distinction of quishing lies in its evasion technique. Unlike traditional phishing links, where users can preview the URL by hovering over it, a QR code conceals its destination until after it has been scanned. The malicious payload, encased within an image, is entirely invisible to the human eye and, more importantly, unreadable by most conventional email security filters. Traditional gateways are engineered to scrutinize text, parse HTML, and evaluate embedded URLs. When faced with a QR code, these systems perceive only an image file (e.g., JPEG or PNG), fail to detect any suspicious links, and consequently deliver the message to the recipient’s inbox. This represents an architectural limitation, not a configuration flaw.

The effectiveness of this method is evident in user behavior statistics:

  • A significant 73% of users scan QR codes without first verifying the destination, as highlighted by Acronis research.
  • Only 36% of QR phishing incidents are accurately identified and reported by recipients.
  • The average time for a user to click on a phishing payload is a mere 21 seconds.

The Scale of the Threat: Key Statistics

The proliferation of quishing is supported by compelling data from various cybersecurity firms:

  • QR Phishing Emails (Aug–Nov 2025): Kaspersky observed a 5x surge, from 46,969 to 249,723 incidents.
  • Total QR Phishing Threats (Early 2025): Keepnet Labs identified over 4.2 million threats.
  • Year-over-Year Growth (2026): Microsoft reported a 146% increase in QR code phishing.
  • Share of Phishing Attacks (2025): QR codes constituted 12% of all phishing attacks, according to Keepnet / Linkcpa.
  • Mobile Targeting: 68% of QR attacks specifically target mobile users (Keepnet Labs).
  • Primary Goal: Approximately 89-90% of QR attacks aim for credential theft (Cofense / Keepnet).
  • Executive Targeting: Executives are targeted 40-42 times more frequently than average employees (Recorded Future).
  • Malicious Microsoft 365 Docs: Barracuda Networks found that 83% of malicious Microsoft 365 documents with QR codes.
  • Unique Malicious QR Codes (2025): ZenSec detected 1.7 million unique malicious QR codes in attachments.
  • Image-Based Phishing Increase (Into 2025): The Anti-Phishing Working Group (APWG) reported a 400% increase.
  • Users Scanning Without Verification: 73% (KnowBe4 / NordVPN).
  • Brands Targeted (Q2 2025): 1,642 brands were targeted by QR phishing (Mimecast / APWG).

How the Attack Works: Step-by-Step

Understanding the anatomy of a quishing attack is crucial for effective defense.

  1. Phase 1 – Preparation: Attackers generate a malicious QR code that links to a credential-harvesting site or a malware download. They then create a convincing, spoofed website that replicates a legitimate login page. Often, the malicious URL is routed through trusted redirect services to obscure its true destination.
  2. Phase 2 – Delivery: The malicious QR code is delivered to targets through various channels, including email (either embedded directly or within PDF attachments), physical stickers placed on public infrastructure like parking meters or restaurant tables, traditional postal mail, or popular messaging applications.
  3. Phase 3 – The Scan: A critical aspect of quishing is its ability to bypass corporate security perimeters. When a victim scans the QR code, they typically use their personal mobile phone. This action moves the interaction from a managed corporate desktop, protected by endpoint detection, web proxies, and DNS filtering, to an unmanaged personal smartphone lacking these crucial controls.
  4. Phase 4 – Theft: Upon scanning, the victim is directed to the malicious site where they are prompted to enter sensitive information, such as Microsoft 365 credentials, banking details, or credit card numbers. Alternatively, the site might trick them into downloading malware disguised as a legitimate application.
  5. Phase 5 – Post-Compromise: Following a successful compromise, attackers can gain unauthorized access to corporate email accounts, launch Business Email Compromise (BEC) attacks, sell stolen session tokens on dark web marketplaces, or deploy ransomware across the victim’s network.

Real-World Attack Scenarios

Scenario 1: The Parking Meter QR Code Scam

Scammers meticulously craft professional-looking QR code stickers and affix them directly over legitimate codes on public parking meters. These stickers are often laminated to appear official and designed to seamlessly blend with the meter’s existing design.

Impact: Drivers, believing they are using the official payment system, scan the fake code. This redirects them to a spoofed payment site (e.g., “poybyphone[.]com” instead of “paybyphone[.]com”). Victims then enter their name, vehicle details, and full payment card number, which is directly transmitted to the attacker.

Documented Cases: In Austin, Texas, dozens of city parking meters were targeted with fake QR code stickers, leading drivers to fraudulent payment sites and compromising credit card details. Similar campaigns have impacted ParkByPhone meters across multiple cities in the UK.

Red Flag: Always inspect QR codes on public infrastructure. Genuine codes are typically integrated into the panel design, not applied as an overlay sticker.

Scenario 2: Mall / Restaurant / Retail QR Code Swap

Attackers physically infiltrate retail environments to replace or overlay legitimate QR codes with their malicious versions. For instance, restaurant patrons scanning what they believe is a menu QR code might instead be directed to a fake coupon redemption page that requests payment card “verification.” Some variants trick users into downloading trojanized loyalty applications.

This tactic thrives on the user’s relaxed state within a trusted environment, where entering card details via a QR-linked page feels like a natural extension of an ongoing transaction.

Documented Case: One incident in 2025 involved fake QR code stickers placed over legitimate codes at 200 store locations, resulting in a 15% drop in legitimate scans and an estimated $2.3 million in damage control costs.

Scenario 3: Email Quishing Bypassing Security Gateways

This represents the predominant enterprise attack vector. Attackers embed QR codes within the body of phishing emails or inside attached PDF/DOCX files. The email’s subject line often impersonates critical internal departments like HR, IT, payroll, or compliance.

Common Subject Lines Observed:

  • “Action Required: Verify Your Microsoft Account”
  • “Your 2025 Benefits Enrollment Scan QR to Access”
  • “Payroll Update Confirm Details via QR”
  • “Invoice #[XXXX] Review and Approve”

Evasion Mechanism: The QR code, being an image file, is perceived by email gateways as a benign JPEG or PNG. Since no suspicious URLs are directly present in the text or HTML, the gateway marks the email as clean and delivers it. The victim then scans the code with their personal phone, entirely circumventing the corporate security perimeter.

Case Study (Sophos): A documented campaign utilized subject lines such as “2024 financial plans,” “benefits open enrollment,” and “dividend payout.” The QR codes were embedded within PDF attachments, a technique designed to defeat even advanced email gateway image scanning.

Case Study (Corporate Breach): A sustainability platform in South Asia experienced a full Microsoft 365 compromise after employees received a “bonus notification” email containing a malicious QR code. Scanning it led to a spoofed login page, resulting in credential theft. Post-compromise, attackers established invisible email forwarding rules to continuously exfiltrate communications.

Nation-State Example: The FBI issued an IC3 Flash Alert in January 2026, warning that North Korea’s Kimsuky APT group is employing malicious QR codes in spear-phishing campaigns. These campaigns target academics, government employees, think tanks, and defense contractors, redirecting victims to mobile-optimized credential-harvesting pages and collecting device fingerprint data.

Scenario 4: QR Codes Delivering Mobile Malware

Some quishing attacks directly leverage QR codes as a malware delivery mechanism. Scanning the code initiates the download of a malicious Android Package Kit (APK) disguised as a legitimate application, such as a logistics app, delivery tracker, utility payment app, or a security update for mobile devices.

Kimsuky Android RAT Campaign (Dec 2025 – Jan 2026): The Kimsuky APT group distributed trojanized Android APKs via QR codes hosted on phishing websites. These sites instructed users to “Open this page on your phone scan the QR code.” Upon installing the “app,” Kimsuky gained remote access to the device’s camera, microphone, contacts, and SMS messages, enabling extensive surveillance and data exfiltration.

Scenario 5: AitM + QR Attack Bypassing MFA

This sophisticated technique combines quishing with Adversary-in-the-Middle (AitM) attacks to defeat Multi-Factor Authentication (MFA) and bypass security operations centers entirely:

Step Action
1 Victim scans QR code in phishing email
2 Redirected to attacker’s reverse proxy server (between victim and real Microsoft/Google)
3 Victim enters real credentials forwarded live to the real server
4 Microsoft sends legitimate MFA push to the victim’s phone
5 Victim approves MFA, believing it’s a real login
6 Attacker captures the fully-authenticated session token including MFA
7 Attacker accesses the account without triggering MFA again

Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA and EvilProxy now incorporate this capability, significantly lowering the technical barrier for attackers to execute such advanced exploits.

Attack Techniques Used to Evade Detection

Evasion Technique Description Bypass Goal
QR in PDF attachment QR code embedded inside a PDF, not the email body Defeats email body image scanning
ASCII-art QR codes QR rendered using ASCII/Unicode text characters Defeats image-based detection
“Fancy” QR with logos Brand logos embedded inside custom QR designs Disrupts pixel-pattern analysis
Blob URI redirects Malicious page rendered from browser-generated data object Avoids server-hosted URL reputation checks
Legitimate redirect chains Routes through Google, Bitly, Cloudflare before malicious page Passes URL blocklists
Split-image / multipart MIME QR split across fragments assembled by email client Defeats single-image scanning
Deep link / in-app URLs Opens inside Telegram; WeChat bypasses mobile browser Avoids mobile browser URL inspection
Dynamic QR codes Destination URL changes after gateway check Defeats time-of-scan analysis
CAPTCHA-gated landing pages Protected by Cloudflare Turnstile or reCAPTCHA Defeats automated sandbox analysis

What Attackers Steal: The Full Payload Map

Payload Category What Is Captured Typical Impact
Corporate Credentials Microsoft 365, Google Workspace, Okta, VPN logins Account takeover, data breach, ransomware
Payment Card Details Card number, CVV, expiry, billing address Financial fraud, card cloning
Banking Credentials Online banking username, password, PIN Direct fund transfers
Session Tokens / Cookies Authenticated session after MFA MFA bypass, persistent unauthorized access
PII Name, SSN/Aadhaar, address, date of birth Identity theft, credit fraud
UPI / Mobile Payment Data UPI PIN, transaction confirmation codes Unauthorized UPI transfers (India)
Mobile Device Access Camera, microphone, contacts, SMS (via APK) Espionage, OTP interception
Corporate Secrets Email contents, documents IP theft, BEC fraud

Red Flags: How to Spot a Malicious QR Code

In Physical Locations

Warning Sign What to Look For
Sticker overlay QR on a sticker placed on top of the original surface
Misaligned placement Code positioned in an unusual spot
Inconsistent branding Different font, colors, or logo than surrounding signage
Brand-new code on worn signage Fresh pristine sticker on aged signage
Suspicious URL preview Domain with typos, hyphens, random strings
Requests for unnecessary data Asking for SSN, full card + CVV together
Urgent call-to-action “Scan now or lose access” language

In Emails

Warning Sign What to Look For
QR instead of a link Legitimate companies rarely replace links with QR codes
External sender domain Doesn’t match the company being impersonated
Urgency language “Verify within 24 hours,” “Account will be suspended”
QR inside a PDF attachment Major red flag legitimate services don’t do this
Unsolicited HR/IT/payroll theme Benefits enrollment or MFA reset from unexpected senders
Generic salutation “Dear User” instead of your actual name

Industries Most Targeted by Quishing

Industry Risk Level Primary Attack Goal
Energy Critical (29% of malware QR emails) Operational disruption, credential theft
Financial Services Critical Banking credentials, payment fraud
Healthcare Critical Patient data, ransomware
Technology High Intellectual property, SaaS access
Manufacturing High OT/ICS access, ransomware
Education High (15,000+ daily phishing QR emails) Staff/student credential theft
Retail High (highest employee miss rate) Customer payment data
Government / Defense High Espionage, classified data

Immediate Response: If You’ve Already Scanned a Malicious QR Code

  1. Do NOT enter credentials or payment data; close the browser tab immediately.
  2. Disconnect from Wi-Fi and mobile data if you suspect malware may have been downloaded.
  3. Change your passwords for any impersonated accounts using a different, trusted device.
  4. Contact your bank if card details were entered; request an immediate card block.
  5. Revoke all active sessions (e.g., for Microsoft 365/Google: navigate to Account Security and sign out all devices).
  6. Run a mobile security scan using a reputable app like Malwarebytes, Bitdefender, or your device’s built-in security features.
  7. Report the incident to your national cybercrime authority.
Country Reporting Channel
United States FBI IC3 at ic3.gov; FTC at reportfraud.ftc.gov
United Kingdom Action Fraud at actionfraud.police.uk
India cybercrime.gov.in or call 1930
EU ENISA or national CERT; local police
Australia cyber.gov.au / ReportCyber portal

What You Should Do

For Individual Users

  • Preview the URL: Before tapping, always check the decoded URL displayed by your camera or scanner app. Look for typos, IP addresses instead of legitimate domain names, or suspicious subdomains.
  • Avoid Unknown Sources: Never scan QR codes from unsolicited emails, texts, or WhatsApp messages.
  • Physical Inspection: In public places, physically inspect QR codes for sticker overlays or signs of tampering before scanning.
  • Use Official Apps: For services like parking, food ordering, or payments, use the vendor’s official mobile application instead of scanning a QR code.
  • UPI Users (India): Remember, you should never need to scan a QR code to receive money. Any request to do so is a scam.
  • Enable Phishing-Resistant MFA: Opt for FIDO2/passkeys. Standard SMS OTP can be bypassed by advanced AitM attacks.
  • Keep Software Updated: Regularly update your phone’s operating system and applications to patch known vulnerabilities.
  • Install Mobile Security: Utilize mobile security applications with QR scanning protection, such as Sophos Intercept X Mobile or Zimperium MTD.

For Organizations and IT Teams

Control Description
AI-powered email security with OCR Deploy platforms equipped with image recognition capabilities that can decode QR codes embedded in email bodies AND PDF attachments.
Phishing-resistant MFA Enforce FIDO2/hardware keys to effectively defeat AitM session token theft.
Conditional Access policies Implement policies to block unmanaged devices from accessing sensitive corporate resources.
MDM / Mobile Device Management Restrict QR scanning to approved applications on enrolled corporate devices.
Quishing-specific security training Conduct targeted QR phishing simulations; this has been shown to improve detection rates by approximately 87% within three months.
DMARC / DKIM / SPF Harden email authentication protocols to prevent sender spoofing and increase email trustworthiness.
Short session lifetimes Configure sessions to expire quickly and utilize continuous session validation with device-bound tokens.
Zero Trust architecture Implement a Zero Trust framework to continuously validate sessions based on device, location, and user behavior.
Physical QR code audits Train staff to regularly inspect and test all QR codes present on company premises.
Incident response playbook Develop and include specific steps for QR-related incidents, such as session revocation, credential resets, and device isolation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCybersecurityExploitMalwarePatchphishingransomwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

GitHub Copilot Blocks Harmful Prompts in Chat, Writes Them in Code

Next Post

HalluSquatting Attack Poisons AI Coding Assistants to Install Botnet Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
QR Code Phishing Attacks Steal Credentials and Deliver Malware
July 9, 2026
GitHub Copilot Blocks Harmful Prompts in Chat, Writes Them in Code
July 9, 2026
AI Agents Vulnerable to Remote Code Execution Attacks
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us