Tech

Is that QR code a trap? How to spot quishing scams before it’s too late

BlackJack3D/iStock/Getty Images Plus via Getty Images

Follow ZDNET: Add us as a favorite resource on Google.


Highlights taken by ZDNET

  • A QR code in your email or attachment could be a scam.
  • QR phishing bypasses MFA, resulting in data theft.
  • How quishing attacks work, and what you can do to stay safe.

Have you ever had a QR code in your inbox and curiosity got the best of you?

When we think about phishing and scams, many of the tricks are older than the ones we still encounter every day — emails claiming to have passed down a legacy from long-lost relatives; A ‘Facebook’ warning that our accounts will be suspended unless we respond immediately; fake lottery wins; and unsolicited requests from so-called investors willing to hand over millions of dollars to us.

Also: Mobile phishing is a bigger threat than email now

However, times are changing. Recruitment scams are becoming sophisticated enough to convince job seekers to participate; AI is used to humanize and improve phishing attempts and even automate entire attack chains; and now, an attack vector is emerging that leverages QR codes to bypass multi-factor authentication (MFA), steal our data, and steal our accounts.

Quishing: QR fraud is on the rise

Quishing, or QR code-based phishing, embeds malicious links in QR codes to bypass phishing filters and penetrate security nets. Lure is the same: create a sense of urgency, appeal to our greed, instill fear and panic, or promise rewards for scanning a QR code with our phones and clicking an embedded link to visit a page or online platform.

Also: Microsoft is going all in with a new AI-powered Windows security strategy

A QR code phishing scheme can take many forms. A fake message from your bank, an email congratulating you on winning the lottery, or an urgent message from your social media provider. Once you scan the code and click on the link, you may end up on a site designed to steal your data or compromise your account.

According to Hoxhunt’s 2026 Phishing Trends Report, basic email phishing messages are declining, but they are re-emerging as an attack vector hidden in scam email attachments, such as malicious PDFs.

Overall, QR code phishing attacks increased by 25% year-on-year. It’s not just digital spaces, either, as QR codes have also been seen in physical spaces, embedded in posters or written on fake business cards, according to the report.

How attackers evade MFA defenses

Hothunt’s research is supported by a June notice from the Google Trust & Safety team warning that traditional email attack vectors are being replaced by adversary-in-the-middle (AITM) and cloaking attacks.

Output pairs with AITM by hiding malicious links in a format that is difficult to read or detect with security filters. According to Google and Microsoft, here’s how it works: You receive an outgoing email, and curiosity entices you to scan the code. You are then sent to a linked website that appears to be the domain of a trusted service, such as a bank, financial services provider, or job forum.

Also: How to make a QR code for free

Then you submit your information, allowing an attacker to bypass existing multi-factor authentication (MFA) protections because you believe you’re logging in to a trusted website. They can then capture your password and session token, leading to data theft, account compromise, and more.

What makes this trick more dangerous than phishing, especially for businesses, is that victims use their phones to scan QR codes, bypassing network-based security nets, such as phishing detection.

The Microsoft Defender team has seen QR code-based cybercrime campaigns grow from 10% to 30% of total phishing campaigns in recent months.

How to avoid falling for QR code phishing

Since QR codes hide destinations, links, and content in an image-like format, we can’t see their contents or verify their origin easily — which is why blindly scanning and following a QR code is dangerous.

QR codes, especially unexpected ones, should be treated with the same suspicion as links sent by email or attachments. Because the format is different, the angle of phishing remains the same: to coerce or manipulate innocent curiosity and entice them to click and visit a malicious online resource. The only difference here is the delivery method — instead of a direct link or file, the victim uses a camera to scan.

Also: Best anti-malware software: Expert tested and reviewed

The best advice here is to stay alert. If you receive an email containing a QR code that appears to be from your bank, visit your bank’s official website in a separate tab or open your bank’s mobile app. Even if the message appears to be legitimate, for safety and security, you should not click on links, open attachments, or scan QR codes unless you are absolutely sure that the source is legitimate and the content of the message is safe.

Remember, too, that QR code threats aren’t limited to emails. See that QR code sticker plastered on a lamp post near your favorite store? Even portable QR code stickers can pose a serious threat to your privacy and security.



Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button