Table of contents
- The dark side of QR codes
- Speed and urgency: the hacker’s best friend
- Phishing evolves as email scams lose power
- The illusion of security and attempts to fix it
- A threat hiding in plain sight
The dark side of QR codes
QR codes started out as a novelty, a fun way to access museum content or restaurant menus. But their convenience has now become a cyber security nightmare. Found on everything from parking meters to plane tickets, these harmless-looking squares have become a favorite tool of cybercriminals.
Welcome to the world of quishing — phishing via QR code. It tricks users into scanning malicious codes that redirect them to fake websites or install malware on their devices.
Speed and urgency: the hacker’s best friend
The trick is shockingly simple: paste a fake QR code over a real one — on a parking meter, a bill, a flyer. In a hurry, people scan the code without thinking and unknowingly give up sensitive information.
A recent KeepNet Labs study found that 26% of malicious links are now shared through QR codes. NordVPN reports that 73% of Americans scan QR codes without checking, and over 26 million have already landed on scam sites.
Phishing evolves as email scams lose power
As traditional email phishing loses its bite due to stronger filters, scammers are turning to QR codes, which are harder to vet. Most people can’t read the destination URL in a QR — and that’s what makes it so dangerous.
That danger has sparked warnings from the FTC, New York DOT, and Hawaii Electric, as well as a scramble by institutions like museums to secure their codes against tampering.
The illusion of security and attempts to fix it
The main problem? False confidence.
Example
iPhone users trust their device more and are therefore less likely to install antivirus or check links. Moreover, adding a company logo to a QR code is not enough: it is easy to copy and can therefore be deceiving.
Engineer Gaurav Sharma is working on a smart QR code (SDMQR) that can authenticate itself, but support from giants like Google and Microsoft is needed to integrate it into systems.
A threat hiding in plain sight
What makes quishing especially dangerous is its invisibility. Anyone can slap a fake QR code over a real one — on a poster, flyer, or official document — and it looks legit. Once scanned, it can lead to malware downloads or data theft. QR codes have even been used in state-sponsored attacks to hack military personnel or spread remote access trojans (RATs) — stealth malware that lets attackers control devices without user consent.
Rob Lee of the SANS Institute explains it well: “QR codes weren’t built for security — they were built for ease of use. That’s what makes them so appealing to hackers.”