QR codes have become part of everyday life. Parking meters, restaurant menus, parcels, emails. A quick scan feels harmless. That is exactly why cybercriminals are increasingly abusing them.
This growing threat is known as quishing, short for QR code phishing. Instead of asking you to click a suspicious link, attackers persuade you to scan a code that quietly sends you somewhere you really did not intend to go.
At the start of January, the FBI issued a warning about a wave of attacks linked to North Korean cybercriminals who were using fake QR codes to harvest personal information. Security experts say this is not just a US problem. Similar attacks are now appearing across multiple countries, including the UK, as criminals look for new ways to make money.
The technique is simple but effective. Fake QR codes are placed over legitimate ones in public locations such as parking machines, cafés and kiosks. Scan the code and you are redirected to a convincing looking website that may ask for payment details or login credentials. Last year, UK government bodies warned motorists about QR stickers on parking meters that led victims to spoofed payment pages.
QR codes are also being used in email attacks. In one example highlighted by the FBI, a state sponsored group embedded malicious QR codes in emails to employees, presenting them as a way to download extra information. Scan first, think later. That is what the attackers are counting on.
According to cybersecurity experts at Planet VPN, the outcome is usually the same wherever the QR code appears. Once scanned, users are forwarded to a fake site designed to look genuine, whether that is a restaurant menu or a payment page. From there, credit card details, passwords or even full device access can be compromised.
Planet VPN co founder Konstantin Levinzon explains why QR codes are proving so effective. People tend to trust them. They became widespread during the pandemic and still do not trigger the same suspicion as a dodgy looking link. The risk feels lower because there is no visible URL to inspect, just a quick scan.
There is another reason attackers favour QR codes in emails. Many anti phishing systems analyse text and links but do not properly inspect images. A QR code can slip through where a traditional phishing email might be blocked. Even when detection improves, attackers adapt by changing colours or designs to evade filters.
The scale of the problem is significant. Cybersecurity researchers estimate that millions of QR related threats were recorded in just the first half of last year, and experts believe the real number is likely higher due to undetected scams.
So what should you do?
Be deliberate about scanning QR codes. Ask yourself why it is there and whether it makes sense. If a scan takes you to a site asking for payment or login details, treat that as a serious warning sign.
If a QR code arrives via email from someone you do not know, or even someone you do know but were not expecting to hear from, pause and verify it before entering any details or downloading anything.
Most importantly, apply the same common sense you would use elsewhere online. Stay sceptical. Use a VPN on public Wi Fi. Keep your devices updated. Use strong passwords and enable multi factor authentication wherever possible.
QR codes are convenient, but convenience is often what attackers exploit. A second of caution can save a great deal of hassle later.
