QR Code Scams Surge: Cybercriminals Weaponize Everyday Convenience

QR Codes: The Latest Cybersecurity Blind Spot

Once considered a harmless tool for scanning menus, accessing apps, or unlocking event passes, QR codes have now become a new favorite among cybercriminals. In a growing number of phishing and malware campaigns, attackers are weaponizing QR codes — embedding them in emails and luring users to malicious websites or infected downloads.

The Anti-Phishing Working Group (APWG) has sounded the alarm after identifying a sharp rise in these QR-based attacks, often called “quishing.” According to their recent Phishing Activity Trends Report, the situation is more dire than it may seem at first glance. From October 2024 through March 2025, APWG member Mimecast reported an average of 2.7 million emails per day containing QR codes, with 1.7 million of them confirmed as malicious.

These codes often impersonate reputable brands, promising deep discounts or timely offers — a seasonal pool, a 4th of July firework sale — only to redirect unsuspecting users to phishing sites. Some codes install malware capable of compromising corporate systems, making this not just a personal risk, but a widespread enterprise threat.

What makes quishing especially dangerous is that traditional email security filters struggle to detect harmful QR codes, giving attackers a stealthy advantage. Moreover, no single industry is safe. Mimecast detected significant numbers of malicious QR codes targeting retail, manufacturing, and construction sectors — each receiving over 120,000 targeted attempts during the analysis window.

These industries are appealing to attackers because of their wide QR code adoption and heavy mobile app use. Brands like Amazon, Walmart, and Mastercard — which tops the list of most-impersonated names — are routinely spoofed.

Adding to the concern, criminals now use the same tools as legitimate marketers: free and paid QR code generators, URL shorteners, and tracking features. This makes it easier for them to evade detection, obscure their true URLs, and gather analytics on their victims’ behavior — all while masquerading as harmless digital squares.

While awareness is growing, the numbers paint a stark picture. In Q1 2024 alone, APWG recorded over 1 million phishing attacks, the highest total since late 2023 — and quishing is playing a big part in that upward trend.

What Undercode Say:

The misuse of QR codes marks a dangerous shift in the cyber threat landscape. What once was a convenience-driven technology is now a clever disguise for malware and phishing attempts. The rising phenomenon of quishing is a product of three converging factors:

Ubiquity: QR codes are everywhere — from restaurant menus to digital payments — and people are trained to trust them.
Invisibility to Filters: Traditional email filters analyze text and known URLs but struggle with decoding QR images, making these attacks hard to stop.
Shared Tooling: Cybercriminals exploit the same platforms legitimate users do, including URL shorteners and dynamic QR services. This shared infrastructure makes malicious campaigns harder to identify and shut down.

There is also a psychological component at play. QR codes offer a false sense of modern convenience. People often scan without thinking, especially when the code comes from what seems like a trusted email. That’s where the danger lies — a subtle, subconscious trust in the medium.

Businesses must now treat QR code security as part of their digital hygiene strategy. That includes educating employees on suspicious QR practices, disabling automatic QR link previews, and even investing in QR scanning tools that can vet destinations before the user lands on them.

Industries particularly reliant on QR code engagement — such as retail, hospitality, and manufacturing — should be the first to act. These sectors are often fast-moving and mobile-first, which makes users more likely to scan impulsively. Deploying machine vision tools capable of inspecting email-embedded images for QR threats could be a game-changer.

Consumers, meanwhile, need to pause before scanning anything. A good rule of thumb? If a deal looks too good to be true — especially via email — don’t scan the code. Manually visiting the company’s site or using its official app is far safer.

Ultimately, quishing is not just a gimmick —

🔍 Fact Checker Results

✅ QR-based phishing (“quishing”) is a real and rising threat, with over 1.7 million malicious QR codes detected in six months.
✅ Multiple sectors were targeted, with retail, manufacturing, and construction among the most affected.
✅ Mastercard is confirmed as the most impersonated brand in quishing campaigns during this reporting period.

📊 Prediction

Given the current trajectory, quishing campaigns are expected to double by mid-2026 if current detection methods remain unchanged. Enterprises that rely heavily on QR codes will likely implement image scanning cybersecurity layers or even QR-blocking policies. Furthermore, major email platforms may begin integrating AI-based QR code decoders into their threat detection engines to stay ahead of this invisible attack vector.