MyFreeQR
Back to Blog
SecurityMarch 25, 202611 min

QR Code Security: Threats, Risks and Best Practices for 2025

Complete analysis of QR code security risks: QRishing, quishing attacks, and how to protect yourself and your business.

TM

Thomas Martin

Founder of MyFreeQRCode

QR codes: an underestimated attack vector

In January 2022, the FBI (Internet Crime Complaint Center - IC3) issued an official warning: cybercriminals are tampering with QR codes to redirect victims to malicious websites, steal their credentials, and install malware. This warning marks a turning point — QR codes, long considered harmless, have become a first-tier attack vector.

According to Abnormal Security (2023), QR code attacks (called "quishing") increased by 427% between 2022 and 2023. The BSI (German Federal Office for Information Security) confirmed this trend in its annual cybersecurity report. Why such an explosion? Because QR codes bypass traditional email defenses: a QR code in an email is an image, not a clickable link, and therefore escapes classic anti-phishing filters.

Types of QR code attacks

1. QRishing (QR Phishing)

QRishing combines QR codes with phishing. The attacker generates a QR code pointing to a site that mimics a legitimate service (bank, payment platform, cloud service). The victim scans the code, arrives at a visually identical fake site, and enters their credentials. According to Proofpoint (2023), 70% of users don't check the URL after scanning a QR code — compared to 35% for regular email links.

2. Physical overlay (QR code sticker attack)

The simplest and most effective attack: sticking a fake QR code over a legitimate one. In January 2022 in Austin, Texas, stickers with fake QR codes were placed on parking meters. Victims, believing they were paying for parking, were redirected to a phishing site that captured their credit card information. Over 100 parking meters were compromised before detection by Austin police.

Similar attacks have been reported on restaurant tables (replacing the menu QR code), advertising posters, and even electric vehicle charging stations in Germany and the UK.

3. Email quishing

Attackers send emails containing a QR code instead of the usual link. The classic pretext: "Your multi-factor authentication has expired — scan this QR code to renew it" or "Access your shared document." According to Cofense (2023), Microsoft 365 and SharePoint are the most impersonated services, representing 51% of observed quishing attacks.

Why QR codes are a cybersecurity blind spot

  • Content opacity: unlike visible text links, QR code content is invisible to the naked eye. Users must scan to discover where the code leads.
  • Trust conditioning: after the pandemic, users are conditioned to scan QR codes without hesitation in restaurants, transportation, and public venues.
  • Mobile screen: on a smartphone, the address bar is small and often hidden. The destination URL is harder to verify than on a computer.
  • Filter bypass: email security solutions analyze text URLs but don't systematically decode QR codes embedded in images.

Key threat statistics

  • 427% increase in quishing attacks between 2022-2023 (Abnormal Security)
  • 70% of users don't check the URL after scanning (Proofpoint)
  • 51% of quishing attacks impersonate Microsoft 365 (Cofense)
  • 22% of all phishing emails in Q4 2023 contained a QR code (Hoxhunt)
  • 89% of quishing attacks target credential theft, 8% target malware downloads (Egress)

10 best practices for protection

For individual users

  1. Always verify the URL: after scanning a QR code, carefully examine the displayed URL before tapping. Look for typos, suspicious domains, or deceptive subdomains (e.g., microsoft-login.attacker.com).
  2. Use a scanner with preview: native iOS (from iOS 11) and Android (from Android 9) apps display the URL before opening the browser. Don't use unknown third-party scanner apps.
  3. Physically inspect the QR code: before scanning a QR code in a public place, check for stickers placed on top. Touch the QR code — an overlay is often raised.
  4. Never scan QR codes in emails: no legitimate company sends a QR code via email for password reset or MFA verification. This is a major red flag.
  5. Enable two-factor authentication: even if your credentials are stolen via quishing, MFA blocks access to your account.

For businesses

  1. Sign your QR codes: use a recognizable and consistent domain. A restaurant using "menu.myrestaurant.com" is more credible than "bit.ly/3xYz".
  2. Physically secure your QR codes: engrave or print directly on the surface (no stickers). Regularly verify that your QR codes haven't been covered.
  3. Train your employees: integrate quishing attacks into your cybersecurity awareness programs. Run simulated attacks to test vigilance.
  4. Deploy anti-quishing solutions: tools from Abnormal Security, Cofense, and Proofpoint now offer malicious QR code detection in emails.
  5. Use HTTPS consistently: every QR code destination URL must use HTTPS. An HTTP site after scanning is an alarm signal.

The future of QR code security

Several solutions are emerging to strengthen QR code security: digitally signed QR codes using standards like Denso Wave's SQRC, AI-based detection algorithms being developed by Google and Apple for mobile operating systems, and security framework proposals for public QR code deployment. By adopting the best practices described in this article, both users and businesses can enjoy the convenience of QR codes while minimizing risks.

Generate a QR Code

Generate custom QR codes for your links, texts, contacts, and much more. Free, fast, and no sign-up required.

Generate a QR Code
securityQRishingphishingcybersecurity

Related Articles

Security

QR Code Security: What You Need to Know

May 5, 2025