The Fundamental Problem with QR Codes
A QR code is a machine-readable matrix of black and white squares. It encodes data, usually a URL. And that's exactly the problem: you can't read what's inside a QR code just by looking at it.
With a regular text link, you can at least glance at the URL before clicking. You might notice something off. A misspelled domain. A suspicious subdomain. A weird path. But a QR code? It's a black box. You scan it, and your phone opens whatever URL is encoded. You're trusting the code blindly.
There is no visual difference between a QR code that leads to your bank's website and one that leads to a phishing page designed to steal your credentials. None. They both look like a random pattern of squares.
This isn't a theoretical concern. Criminals figured this out years ago. The attacks are real, they're growing fast, and they're getting more sophisticated every month.
Quishing: QR Code Phishing Attacks
"Quishing" is the term security researchers use for QR code phishing. The concept is simple: replace a legitimate QR code with a malicious one, or create a new QR code that directs victims to a fake website. The attack works because people trust QR codes. They scan without thinking.
The FBI Warning (January 2022)
On January 18, 2022, the FBI's Internet Crime Complaint Center (IC3) issued a public service announcement (PSA I-011822-PSA) warning Americans about criminals tampering with QR codes. The FBI specifically cautioned that criminals are redirecting victims to malicious sites designed to steal login credentials and financial information.
That PSA wasn't hypothetical. It was a response to real attacks already happening across the United States.
Parking Meter Scams in Texas
In January 2022, police in Austin, Texas discovered fraudulent QR code stickers placed on public parking meters. The stickers directed drivers to a fake payment website that collected credit card numbers. Similar stickers were found in San Antonio and Houston.
Think about the simplicity of this attack. Someone printed stickers, walked around downtown, and stuck them on parking meters. Drivers who scanned the codes thought they were paying for parking. Instead, they handed their credit card details to criminals.
Parking meters are public infrastructure. People trust them. Nobody examines a QR code on a parking meter and wonders if it's fake. That trust is exactly what criminals exploit.
Fake EV Charging Station QR Codes (UK, 2023)
In the UK during 2023, criminals placed fake QR code stickers over legitimate payment codes at electric vehicle charging stations. Drivers who scanned the stickers were directed to fraudulent payment pages. They entered their card details thinking they were paying for electricity. They were paying criminals.
The pattern is identical to the parking meter attacks. Public infrastructure, QR codes for payment, a sticker over the real code. Simple, cheap, effective.
QR Phishing Emails Are Exploding
Physical sticker attacks require someone to show up in person. Email attacks scale infinitely. And that's where things get really dangerous.
HP Wolf Security reported a sharp increase in phishing emails containing QR codes. The reason is clever: most email security systems scan URLs in the email body to detect phishing links. But when a URL is encoded inside a QR code image, text-based scanners miss it completely. The malicious link is hidden inside a picture. Email filters see an image, not a URL.
That stat from Hoxhunt isn't a gradual trend. It's an explosion. Attackers realized that QR codes in emails bypass security filters, and they scaled their operations fast.
These emails typically impersonate trusted services: your bank, Microsoft 365, a shipping company, HR departments. They contain a QR code and a message urging you to "scan to verify your account" or "scan to track your package." The QR code leads to a convincing fake login page.
How QR Code Attacks Work
Understanding the specific attack methods helps you spot them. Here are the five main types:
Sticker Overlay
A malicious QR code sticker placed over a legitimate one. Used on parking meters, restaurant menus, posters, charging stations, and any public QR code.
Email QR Phishing
QR codes embedded as images in phishing emails. Bypasses text-based URL scanning. Often impersonates banks, IT departments, or delivery services.
Malware Download
QR code leads to a page that prompts you to download an app or file. The download contains malware: keyloggers, ransomware, or spyware.
Credential Harvesting
QR code directs to a fake login page for a service you use (email, banking, social media). You enter your password. Criminals collect it.
Payment Fraud
QR code initiates a payment to the attacker's account. Common with mobile payment systems where QR codes are the standard way to pay.
What makes these attacks effective isn't technical sophistication. It's that people don't expect a QR code to be dangerous. We've been trained to "just scan it." That reflexive trust is the vulnerability.
How to Protect Yourself
The good news: protecting yourself doesn't require technical expertise. It requires a small change in behavior. Treat QR codes with the same suspicion you'd give an unknown email link.
Always check the URL preview before opening it. Most modern smartphones (both iOS and Android) show you the URL that a QR code encodes before you actually visit it. Read it. Every time.
Your Personal Safety Checklist
- Check the URL preview on your phone. After scanning, your phone should display the URL before navigating. Look at the domain. Is it what you expected? If you scanned a code at a bank, the URL should be the bank's actual domain, not something like bank-secure-login.xyz.
- Don't scan QR codes from untrusted sources. A random flyer on a lamppost, a sticker on a wall, a QR code in an unsolicited email: treat these with suspicion. If you don't know who put the code there, don't scan it.
- Look for physical tampering. Before scanning a QR code on a physical surface, check if it's a sticker placed over another code. Feel the surface. Look at the edges. If it looks like a sticker was placed on top of something else, don't scan it.
- Use a scanner app that previews the URL. Your phone's built-in camera usually shows a URL preview. Some third-party scanner apps also check URLs against known phishing databases. Consider using one.
- Never enter credentials on a QR-reached page without verifying the domain. If a QR code takes you to a login page, stop. Check the URL bar. Is it the real domain? Is it HTTPS? If you're unsure, close the page and navigate to the site directly by typing the URL yourself.
- Be especially careful with payment pages. If a QR code takes you to a page asking for credit card information, verify the domain before entering anything. Better yet, navigate to the payment site directly rather than through the QR code.
Watch for these signs after scanning a QR code: the URL looks strange or has many subdomains, you're immediately asked for a password or payment, the page has spelling errors or looks slightly off, or you're prompted to download something you didn't expect.
For Businesses Creating QR Codes
If your business uses QR codes, you have a responsibility to make them as safe as possible for your customers. Criminals exploit the trust your customers place in your brand. Here's how to make that harder.
Use Your Own Domain
Point your QR codes to URLs on your own domain, not a third-party URL shortening service. When a customer scans your code and sees yourcompany.com/menu in their URL preview, they can verify it's legitimate. When they see randomshortener.io/x7k9z, they have no way to tell if it's real.
This is one of the strongest signals of legitimacy you can give your customers.
Always Use HTTPS
Every URL behind your QR codes must use HTTPS. No exceptions. An HTTP URL gives browsers and phones a reason to display a security warning, which erodes customer trust (even if the link is legitimate). It also means data transmitted through the page is unencrypted.
Use Dynamic QR Codes
A static QR code encodes a fixed URL. If that URL is compromised or someone creates a copycat, you can't do anything about it. A dynamic QR code points to a redirect URL that you control. If something goes wrong, you can disable the link instantly or redirect it somewhere safe.
If you discover that someone has placed sticker overlays on your QR codes, you can disable the original redirect URL from your dashboard. Customers who scan the sticker (which points to the attacker's URL) will see a phishing page, but customers who scan your real code will be protected because you've already taken action on your side. Dynamic codes give you a kill switch.
Monitor Your Scan Analytics
If you're using a QR code platform with analytics (like QR Shortener), watch for unusual patterns. A sudden spike in scans from an unexpected location could indicate that someone has cloned your QR code or is using it in a phishing campaign. Unusual traffic patterns are often the first sign of compromise.
Print QR Codes Directly on Materials
Whenever possible, print QR codes directly onto your materials (packaging, signage, business cards). Printed codes are much harder to tamper with than codes displayed on a screen or stuck on a surface. If someone places a sticker over a printed code, the tampering is more visible because the sticker sits on top of a clearly printed surface.
Educate Your Customers
Add a short note near your QR codes: "This code directs to [yourdomain.com]. Verify the URL before entering any information." It takes minimal space and gives customers a reference point. If they scan a tampered code and see a different domain, they'll know something is wrong.
QR Code Security Is Everyone's Problem
QR codes aren't going away. They're on restaurant menus, product packaging, event tickets, business cards, transit systems, and advertisements. They're convenient. They work. But they carry real risks that most people don't think about.
The fix isn't to stop using QR codes. It's to stop scanning them blindly. Check the URL. Look for tampering. Be suspicious of codes in unexpected places. These small habits take seconds and can save you from losing credentials, money, or both.
For businesses, the responsibility is higher. Use your own domain. Use HTTPS. Use dynamic QR codes with analytics. Print codes directly on materials. These aren't optional security enhancements. They're the baseline for protecting your customers.
A QR code is just a link you can't read. Treat it that way. If you wouldn't click a random link from a stranger, don't scan a random QR code from an unknown source.
Sources and Further Reading
- FBI IC3 Public Service Announcement (PSA I-011822-PSA) — The FBI's January 2022 warning about criminals tampering with QR codes to steal credentials and financial information.
- Quishing — Wikipedia — Overview of QR code phishing attacks, techniques, and notable incidents.
- QR code: Malicious use — Wikipedia — Documentation of parking meter scams, sticker overlay attacks, and other QR code fraud cases.
- Hoxhunt (2023) — Research reporting a 587% increase in QR phishing attacks between August and September 2023.
- HP Wolf Security — Research on the rise of QR code phishing in email campaigns that bypass traditional text-based URL scanners.