QR code attacks are fast becoming a major cyber threat, targeting card details and delivering malware with increasing sophistication. In the past year, organisations have witnessed a dramatic surge in these attacks, which often bypass traditional security defences and exploit the trust users place in QR codes. This article examines recent QR code attack trends, how these threats work, and the scale of their impact.
QR Code Attacks: Anatomy of a Rising Threat
At the centre of this new threat category is the technique known as quishing—a blend of QR code technology and phishing tactics. Quishing attacks embed malicious URLs inside QR code images. When a user scans the code, their device automatically opens a hidden web address, typically leading to a fake website designed to steal credentials, card details, or install malware.
Unlike traditional phishing links in emails, QR codes show no visible sign of danger. The malicious payload is concealed within pixels, unreadable to the recipient and invisible to most email security tools. Attackers exploit this blindspot by distributing QR codes through emails, posters, or even physical locations such as restaurant tables or parking meters.
This approach is highly effective because:
- 73 percent of users scan QR codes without checking the destination first
- Only 36 percent of QR phishing incidents are accurately identified and reported
- The average time-to-click on a phishing payload is just 21 seconds
Traditional email security systems are not designed to scan QR code images for embedded URLs. They typically inspect text and HTML for suspicious links, but when a payload is encoded in the pixel matrix of an image (such as JPEG or PNG), the security gateway only sees a harmless image file. The result is that quishing emails often reach users’ inboxes without triggering any alerts.
Recent Spike in QR Code Phishing: Timeline and Impact
The scale and speed of QR code attacks have escalated sharply in recent months. Between August and November 2025, detections of malicious QR code phishing emails increased fivefold, jumping from 46,969 incidents in August to 249,723 in November. In the first half of 2025 alone, over 4.2 million QR code phishing threats were identified globally.
Microsoft reported that more than 15,000 phishing emails containing QR codes were sent daily to the education sector, highlighting the broadening scope of these attacks. Year-on-year data shows a 146 percent rise in QR code phishing attacks in 2026, according to Microsoft, with 12 percent of all phishing attempts now leveraging QR codes as the delivery mechanism.
The following table summarises key recent statistics:
- QR phishing emails (Aug–Nov 2025): 46,969 to 249,723 (5× surge) — Kaspersky
- QR phishing threats identified (early 2025): Over 4.2 million — Keepnet Labs
- QR code phishing surge (2026): +146 percent year-over-year — Microsoft
- Phishing attacks using QR codes (2025): 12 percent — Keepnet/Linkcpa
- Attacks targeting mobile users: 68 percent — Keepnet Labs
- QR attacks aimed at credential theft: 89–90 percent — Cofense/Keepnet
- Executives targeted vs. average employees: 40–42 times more frequently — Recorded Future
Most QR code attacks target mobile users, as phone cameras are the primary tool for scanning these codes. Around 89 to 90 percent of malicious QR campaigns focus on stealing user credentials, while others attempt to capture payment card details or install malware directly on devices. Executives and senior staff are particularly targeted—up to 42 times more than average employees—due to their access to sensitive business information.
How QR Code Attacks Bypass Security
The effectiveness of these attacks lies in their ability to evade traditional email security architecture. Most gateways are equipped to analyse embedded URLs in email text, but QR code images are largely ignored. Attackers encode phishing links within the image, so the gateway delivers the email as safe. When the recipient scans the code, they are often taken to a convincing fake login page for Microsoft 365, banking, or other high-value services.
These QR codes are distributed not only by email but also in physical environments—posters, menus, and payment terminals. This multi-channel approach increases the likelihood of a successful attack and makes it harder for security teams to monitor all possible entry points.
Why QR Code Attacks Matter for Organisations
The surge in QR code attacks represents a significant vulnerability for businesses, especially as most traditional defences do not detect or block these threats. The growing use of QR codes in everyday operations—from payments to login processes—means that attackers can reach both employees and customers with relative ease. The speed at which users scan and click, combined with low detection rates, increases the risk of credential theft and financial fraud.
What Organisations Should Do Now
Given the unique nature of QR code attacks, organisations should:
- Train users to verify the source and legitimacy of QR codes before scanning
- Consider deploying security tools that inspect images for embedded QR codes and analyse their destinations
- Implement stricter mobile and browser controls to reduce the risk of automatic opening of malicious links
By recognising QR code attacks as a distinct and growing threat vector, organisations can take targeted steps to close this emerging security blindspot.
Originally reported by cybersecuritynews.com.







