When QR Codes Become a Security Risk

⏱ 6 min read · QRHub

A QR code is, fundamentally, a URL in a different format. You can't read it without scanning it, which creates an interesting problem: the moment between scanning and seeing where it leads is a window of uncertainty that attackers have learned to exploit.

What Quishing Is

"Quishing" — QR phishing — is a social engineering attack that uses QR codes instead of text links to redirect victims to malicious websites. The attack exploits an important gap: email security tools routinely scan text-based URLs for malicious content, but QR codes embedded in images pass through those filters unchecked because the URL is encoded visually, not textually.

A quishing email might contain a message that appears to be from your bank, HR department, or delivery service, with a QR code that "needs to be scanned to verify your account." The QR code leads to a phishing page that mimics a legitimate site and harvests credentials.

The QR code is opaque in a way that a plain URL isn't. You can read a suspicious link. You cannot read a QR code without scanning it — which is the trust gap the attack exploits.

Physical QR Code Tampering

A different class of attack targets physical QR codes. Attackers have been caught placing sticker QR codes over legitimate ones in restaurants, parking meters, and public information points. The sticker matches the surrounding design closely enough that it isn't noticed — but the encoded URL redirects to an attacker-controlled site rather than the intended destination.

This attack is particularly effective in parking payment scenarios, where users are accustomed to scanning a code and providing payment details. Reports of fake QR codes on parking meters have been documented in multiple US cities.

How to Scan Safely

The key habit is previewing the URL before visiting it. Modern phone camera apps and QR scanner apps show the URL that the code contains before opening it. Check that the domain is exactly what you expect before proceeding. A code that claims to be from your bank should resolve to the bank's verified domain — not a lookalike like "b4nk-verify.com".

Be particularly cautious with QR codes that appear in unexpected emails, on loose stickers over existing signage, or in any context where you didn't seek out the code deliberately.