QR Code Phishing: How to Protect Your Business

Is your business using QR codes without knowing which ones have been tampered with? QR code phishing – commonly called “quishing” – turns an everyday convenience into a credential-stealing trap, and traditional security filters often miss it entirely. This guide covers how these attacks work, what they cost businesses, and the specific controls you can put in place to stop them.

How QR Code Phishing Works

QR code phishing exploits a fundamental weakness: QR codes are not human-readable. With a traditional URL, a trained eye can often catch a spoofed domain or suspicious string. A QR code conceals all of that. As Alex Mosher, global vice president at MobileIron, explains:

“QR codes inherently conceal their destination. Therefore, the ability to alter a QR code to point to an alternative resource without being detected is simple and highly effective.”

Attackers embed malicious URLs inside QR codes that redirect victims to fake login pages designed to harvest credentials, or to sites that trigger malware downloads. Compounding the problem, many email security systems cannot decode QR code images – they see a picture, not a link – so the payload slips through filters that would catch a plain phishing URL.

In 2023, QR code phishing accounted for 22% of all phishing attacks. One large-scale quishing campaign grew by 2,400% in a matter of months, and analysis of a corporate-targeted operation found that roughly 29% of malicious emails contained QR codes.

Where Attackers Plant Malicious QR Codes

Email and document attacks are the most common delivery method. Attackers embed QR codes inside PDF or Word attachments to bypass email security filters. In 2023, 82% of quishing attacks impersonated trusted brands – Microsoft was targeted in 51% of observed cases, followed by DocuSign at 31% and Adobe at 15%. Between mid-2024 and late 2024, researchers uncovered over 500,000 phishing emails containing QR codes embedded in PDFs.

Physical tampering is equally dangerous. Attackers place fraudulent QR code stickers over legitimate codes in high-traffic locations – restaurants, parking meters, airports, and retail spaces. In San Francisco, criminals placed counterfeit QR codes on parking tickets that directed users to a fake transit page designed to steal credit card details. The Social Security Administration specifically warns that legitimate QR codes on official signage are typically not stickers; a code applied as a sticker should be treated as suspicious.

Social engineering lures complete the picture. Victims are prompted to scan a QR code to claim a discount, connect to free Wi-Fi, or complete a survey. In one documented case in Singapore, a woman scanned a code at a bubble tea shop expecting a loyalty reward. Instead, a malicious app was downloaded to her phone, and attackers drained $2,000 from her bank account.

What These Attacks Cost Businesses

Credential and Data Theft

Nearly 90% of quishing attacks are designed specifically to steal login credentials and sensitive data. Attackers redirect victims to convincing replicas of Microsoft 365, SharePoint, or banking portals. Executives are disproportionately targeted because their credentials unlock critical systems and privileged data.

Personal devices make this worse. When employees scan QR codes on phones not enrolled in enterprise management, IT teams have no visibility into what happened or what was accessed.

Financial Losses

The average cost of a data breach reached $4.45 million in 2023, with Business Email Compromise scams averaging $4.89 million – before factoring in regulatory fines and legal expenses. Direct phishing losses surged 76% year-over-year. Individual incidents illustrate the scale: a UK railway station scam left one victim £13,000 in debt; a Calgary family lost $10,000 to a Facebook Marketplace QR code scam.

Small businesses absorb a disproportionate share of the damage. In the UK, small enterprises face an estimated 65,000 cyberattacks daily, with the average cost of resolving a successful attack around $33,700.

Operational Disruption and Reputational Damage

Stolen credentials frequently serve as the entry point for ransomware deployment. In 2023, organizations spent an average of $1.82 million recovering from ransomware incidents. Construction and engineering firms face QR code attack risk 19.2 times higher than average; professional services firms face a risk 18.5 times higher.

Beyond operational downtime, businesses face customer churn, higher cybersecurity insurance premiums, and regulatory scrutiny when customer data is exposed. Rebuilding trust after a breach takes far longer than resolving the technical incident itself.

How to Prevent QR Code Phishing: A Layered Approach

No single control eliminates quishing. The consistent recommendation from security researchers, federal agencies, and enterprise security teams is a layered defense combining email filtering, identity controls, endpoint protection, employee training, and reporting workflows.

Email Security Controls

Configure email security systems with capabilities that go beyond standard link scanning. Effective controls include:

• OCR-capable filtering that decodes QR code images within emails and analyzes the embedded URL against threat intelligence
• Anti-phishing policies tuned to flag image-based payloads, especially QR codes embedded in PDF or Office document attachments
• Strict spam gateway rules that treat unsolicited QR codes in email as high-risk by default

For Microsoft 365 environments specifically, Microsoft Defender for Office 365 includes QR code image decoding to surface embedded URLs for reputation checking and Safe Links evaluation.

Identity and Access Controls

Stolen credentials are only useful if they can be used. Layered identity controls reduce that risk significantly:

• Multi-factor authentication (MFA) across all accounts, with stronger authentication requirements for high-privilege users and executives
• Phishing-resistant MFA methods such as hardware security keys or passkeys, which are tied to the legitimate domain and cannot be intercepted by a fraudulent site
• Blocking legacy authentication protocols that do not support MFA, eliminating a common bypass route
• Conditional access policies that flag or block sign-in attempts from unmanaged devices

For deeper context on how QR codes intersect with authentication workflows, see kuidas QR-koodid lihtsustavad mitmefaktorilist autentimist.

Endpoint and Device Protection

Managed devices with up-to-date endpoint security provide a critical safety net:

• Deploy endpoint detection and response (EDR) on all managed devices
• Enable browser reputation checks (such as Microsoft SmartScreen) that warn users before they reach a known phishing domain
• Apply Mobile Device Management (MDM) policies that enforce security baselines on phones used to scan QR codes for work
• Restrict downloads from unmanaged devices on corporate networks

The FTC advises keeping device operating systems current and using strong, unique passwords across accounts as foundational hygiene that reduces the impact of any successful phishing attempt.

Employee Training and Awareness

Your employees are the most direct line of defense against quishing, and training must be explicit – general phishing awareness does not automatically transfer to QR code threats.

Effective training programs cover:

• Why QR codes are dangerous: the destination is hidden until after the scan
• Red flags in emails containing QR codes: urgency, generic greetings, unsolicited messages from known brands, and requests for login credentials
• Physical tampering signs: codes applied as stickers over printed materials, codes on unofficial signage
• Verification habits: if a QR code arrives in an unexpected email, contact the sender through a known phone number or official website rather than scanning the code
• URL inspection: after scanning, check the URL in the browser bar before entering any credentials – look for misspellings, switched letters, or unfamiliar domains

The U.S. Department of Health and Human Services recommends training end users to maintain a healthy degree of skepticism and recognize indicators such as suspicious sender addresses, spoofed links, and improper grammar – all of which appear in QR-based phishing campaigns just as in text-based ones.

Run simulated quishing exercises alongside standard phishing simulations. Target high-risk groups – executives, finance teams, and anyone with administrative privileges – with more frequent and realistic scenarios.

For a broader view of QR code security best practices in cyber defense, including encryption and authentication pairing, that guide covers the technical controls in more depth.

Reporting and Incident Response

Employees need a clear, low-friction way to report suspicious QR codes – both in email and in physical spaces. A report-phish button in email clients removes friction for digital reports. For physical codes, provide guidance on how to flag and photograph suspicious stickers or tampered materials.

Your incident response plan should specifically address quishing scenarios with defined steps:

• Isolate any account that may have submitted credentials through a malicious QR code
• Revoke active sessions and reset passwords immediately
• Check for unauthorized access or data movement in the window between the scan and the response
• Notify affected individuals according to your breach notification policy
• Conduct a post-incident review to identify how the QR code bypassed existing controls

Run penetration testing that includes quishing scenarios to find gaps before attackers do.

QR Codes Your Business Deploys: Securing Your Own Codes

Preventing quishing also means ensuring the QR codes your business publishes cannot be weaponized against your customers or employees.

Use dynamic QR codes instead of static ones. Static codes permanently encode a destination URL. If that destination is ever compromised, the code becomes a liability you cannot fix without reprinting. Dünaamilised QR-koodid point to a short redirect URL that you control – you can update the destination, redirect to a new page, or disable the code entirely from a management dashboard without touching the printed material.

Keep Your Published QR Codes Under Control If you suspect one of your deployed codes has been tampered with or is pointing somewhere unsafe, you can update or disable it instantly. Use the Dünaamilise QR-koodi generaatoriga to manage all your codes from a centralized dashboard with real-time scan analytics.

Apply consistent branding to your codes. Seventy-one percent of people cannot reliably distinguish a fake QR code from a legitimate one. Branded QR codes – with your logo, company colors, and a custom domain in the destination URL – give users a visual signal that the code is authentic. Generic black-and-white QR codes with opaque short URLs provide no such assurance.

Monitor scan analytics for anomalies. Dynamic QR codes collect scan data including timestamps, device types, and geographic locations. A sudden spike in scans from unexpected regions, or scan activity outside normal business hours, can indicate that one of your codes has been copied and redistributed maliciously. Pageloot’s analytics dashboard surfaces these patterns so you can investigate and respond quickly.

For a detailed look at what scan data your codes collect and how to interpret it responsibly, see understanding what data your dynamic QR codes track.

Conduct regular physical audits. For any QR codes displayed in public or semi-public spaces – restaurant tables, event signage, vehicle displays, or retail windows – physically inspect codes on a regular schedule. Look for stickers placed over the original code and test each code’s destination before customers encounter it.

Use HTTPS destinations exclusively. Every URL your QR codes link to should use HTTPS. Sending users to an unencrypted HTTP destination undermines trust and exposes data in transit.

For additional guidance on QR-koodi privaatsusriskid ja kuidas neid vältida, including how to balance analytics with user privacy, that resource covers the data considerations businesses often overlook.

Evaluating Detection Tools

Employee training and platform controls address a significant portion of the risk, but dedicated detection tools add another layer – particularly for organizations with high email volume or complex QR code deployments. If you are evaluating options, tools designed to detect QR code phishing range from enterprise behavioral analytics platforms to email gateway add-ons and mobile scanning apps with built-in reputation checks.

The right combination depends on your existing security stack, the volume of QR codes you receive versus deploy, and whether physical tampering is a significant concern for your locations. Quishing is not a hypothetical threat. It accounts for a meaningful share of real-world phishing activity, bypasses controls most organizations already have in place, and disproportionately targets the businesses and users least equipped to recognize it. Closing the gap requires deliberate action across email security, identity controls, employee training, and the QR codes you publish yourself.

Start with the controls you can implement immediately – MFA, employee awareness, and switching your published codes to dynamic management – then build toward the layered defense that makes quishing attacks consistently unsuccessful against your organization.

Korduma Kippuvad Küsimused