Cofense - Security Awareness Training & Email Threat Detection

QR Code Phishing: What You Need To Know

QR codes have become a ubiquitous part of our daily lives, seamlessly connecting us to restaurant menus, websites and apps with a simple scan from our phones. However, as reliance on QR codes grows, so does the exploitation of threats. Welcome to the rising threats of QR code phishing. 

QR code phishing is a cyber menace that has been steadily gaining popularity. In fact, it has been reported that one QR phishing campaign increased by 2,400% since May 2023. 

By the end of this article, you’ll be well-equipped to recognize and defend yourself against QR code phishing attempts. 

What is a QR Code? 

A QR code, short for Quick Response code, is a two-dimensional code that can store data such as messages, URLs, and contact information. These codes act just like a barcode at the grocery store, but instead of just vertical lines, it utilizes small squares to form a pattern. 

QR Code Example

QR Code Example

What is a QR Code Used For? 

QR codes are now commonly used in various industries including marketing, hospitality, and retail as it is easy to scan and read using smartphones or other digital devices.  

How it works is when a user scans the code through a QR code scanner app or camera, the data stored in the code is immediately accessed.  

QR codes have revolutionized the way users interact with technology, by providing a simple but powerful tool for accessing information on the go. 

What is QR Code Phishing? 

QR code phishing is a relatively new form of cyber-attack that is gaining popularity among cybercriminals. This type of phishing attempt starts when the attacker creates a QR code phishing campaign that, when scanned, leads the victim to a malicious website where their login credentials or personal information can be stolen.  

These codes can be sent through email, SMS, or even printed and left in public places for an unsuspecting scan. With the rise of mobile usage and the widespread adoption of QR codes, cybercriminals are leveraging this technology to their advantage.  

“The firm also points out that, while QR scanners and image recognition systems may automatically identify malicious QR codes, it is also important to educate employees to avoid scanning such codes in emails.”

It is crucial for individuals and businesses to be aware of this emerging threat. Educating employees about the risks of QR code phishing and implementing security measures such as two-factor authentication can help prevent these attacks from being successful. 

A Real Life QR Code Phishing Nightmare 

Since May 2023, Cofense has uncovered a concerning rise in QR code phishing campaigns that specifically target Microsoft credentials across various industries. One Energy company based in the US has experienced approximately 29% of the 1000+ malicious emails containing QR codes.  

Real life phishing qr code

Real life phishing QR code

But that’s not the only industry. The following industries have also fallen victim to this campaign traffic. 

  • Manufacturing at 15% 
  • Insurance at 9% 
  • Technology at 7% 
  • Financial Services at 6% 

These wicked QR codes predominantly use Bing redirect URLs, but occasionally, they exploit other domains like Salesforce applications and Cloudflare’s Web3 services.  

By concealing the phishing link within the QR image, it has a higher likelihood of evading email filters and reaching the recipient’s inbox. This QR image is then further embedded within a PNG image or PDF attachment, adding an additional layer of deception. 

How QR Code Phishing Works 

This sophisticated type of cyber-attack that works by tricking users into scanning a QR code that leads them to a fake website that looks identical to a legitimate one. Here’s how hackers then fool you to scan the code and enter your sensitive information. 

  1. Scammers attach malicious QR codes to emails, advertisements or signs. 
  2. When scanned the QR codes, when scanned, take the victim to a fraudulent website. 
  3. Once on the fake website, victims are asked to enter their username, password or any other sensitive information. 
  4. Hackers then harvest the entered data to carry out credential theft or other criminal activities. 

The technology behind QR code phishing isn’t too complex, but it is effective.  

Unfortunately, once scammers gain access to personal information, victims face significant damage to their finances and social security. 

Common QR Code Phishing Scenarios 

The psychology behind it is that the attackers use tactics like urgency, excitement or curiosity to convince the victim to scan the malicious QR code. 

The most common scenarios of QR code phishing include fake payment schemes that trick users into transferring money to fraudulent accounts, malicious redirects that send users to phishing websites, and social engineering attacks that manipulate users into disclosing sensitive information. 

How to Recognize QR Code Phishing 

Knowing how to recognize the warning signs of suspicious QR codes can be critical in protecting your personal information. 

It’s essential to check the URL before clicking on any QR code to ensure its legitimacy. 

To identify a malicious QR code, look out for the following signs:  

  • Poor image quality 
  • Unrecognizable URL 
  • Shady website 

Malicious QR codes might also prompt you to download an app or enter personal information. If you do suspect that a QR code is fraudulent, do not scan it. Instead, report it to law enforcement or contact site administrators. 

Keeping your devices updated and secure is crucial as well. 

How to Protect Yourself from Malicious QR Codes 

To protect yourself from QR code phishing attacks, it’s important to be aware of how they work and take measures to ensure your safely scanning codes with your mobile device.  

  • Always make sure that you know where a code is coming from before scanning it. Look for signs that it may be malicious such as typos, misspellings, or suspicious URLs.  
  • Enroll in QR Code specific security awareness training to familiarize yourself with the risks and how to avoid them. 
  • Use reliable QR code scanning apps and enable two-factor authentication. 
  • Make sure your device has up-to-date anti-virus software installed  
  • Never give out any personal information unless you are absolutely certain that the website or page you are accessing is legitimate. 

Stay safe and secure by implementing these measures and being cautious when scanning QR codes, always erring on the side of caution. 

QR Code Phishing Email Infographic from Cofense


In conclusion, QR Code phishing can have devastating consequences if you’re not adequately prepared. 

Taking steps to protect yourself from cyber threats is the best way to reduce the risk of an attack. With Cofense’s SAT Training we arm users with the latest in QR code-specific anti-phishing training techniques.

While no security measure is foolproof, taking proactive steps can dramatically reduce the risks associated with this kind of fraudulent activity. Let’s work together to spread awareness of these tactics

Interested in learning more about phishing detection and response?

Explore our Resource Center for our latest content

Explore our database of phish found in environments protected by SEGs, updated weekly

Download our latest Phishing Review to learn about threat landscape trends.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.