Malicious QR Codes are Hidden Everywhere  

QR codes have become a common part of everyday life. They can be found in restaurants, parking lots, social events, product packaging, and even in unexpected places, like on modern gravestones. It is understandable, after all, that they are easy to use and very practical. We are so used to seeing them everywhere that it is easy to overlook the risks they can carry. According to the Anti-Phishing Working Group (APWG) in its Q1 2025 report, over 1.7 million unique malicious QR codes were detected by cybersecurity researchers, along with “an average of 2.7 million emails with QR codes attached daily”.

How Does a Malicious QR Code Function?  

QR codes work by encoding information into a square pattern that can be read by a scanner or camera. This information can include a URL, text, or contact details. QR codes are fast, reliable, and capable of storing much more data than traditional barcodes. However, because the content is encoded within the pattern, attackers can exploit this to hide malicious links or actions. Some devices and apps show a preview before opening a link, but not all do, and users often do not inspect the preview carefully, making QR codes a useful tool for phishing and other malicious attacks. 

QR codes Can Be Exploited in Various Different Ways 

1. Phishing Campaigns (Quishing) 

Attackers can embed URLs in QR codes that redirect users to phishing sites designed to steal personal information, login credentials, or financial details. Since users often do not see or carefully check the URL before opening it, they may not realize they are being directed to a fraudulent website. This tactic is widely used because of its high effectiveness. 

2. Malware Distribution 

QR codes can also direct users to websites that prompt users to download malicious software onto their smartphones or computers. If users proceed with the installation, the software can infect their devices with malware. Although most devices require user permission to complete the installation, attackers often rely on social engineering tactics to overcome users’ caution. 

3. Fake Payment Requests 

Scammers can create fake QR codes or replace legitimate ones in public places (known as QR code tampering), to redirect payments to their own accounts. This method is commonly used in situations like parking meters, charity donations, or sending them via email or chat, tricking victims into unknowingly sending money to cybercriminals. 

5 Quick and Easy Steps to Take in Order to Safely Scan and Verify QR Codes 

There are 5 steps that one can easily and quickly take to better safeguard themselves and their data against Malicious QR codes.  

1. Inspect The QR Code Source 

Before scanning a QR code, make sure it comes from a trusted source. Be cautious of codes found in public places that look out of place, are poorly printed, or appear to be stickers placed over original codes. Watch out for posters or messages with QR codes that try to grab your attention or offer something that seems too good to be true. 

2. Verify the URL Before Clicking  

Most modern smartphone cameras display a preview of the link or information encoded before opening it, allowing users to review what type of content is behind the QR code. Before clicking any links, always take a moment to verify the URL is legitimate and a trusted website and not an imitation with misspellings or suspicious characters. Be cautious with shortened or unclear links, as attackers may use link obfuscation to hide malicious destinations. If anything looks off, it is safer to type the known URL manually into your browser.  

 In case your device does not display a preview of the QR code, consider installing a camera or scanner app that allows you to view the content before opening it. Always use trusted QR code scanning apps from reputable sources to ensure your security. 

 3. Avoid Entering Sensitive Information 

Never enter sensitive information on websites accessed through QR codes unless you are certain the site is legitimate and secure. Cybercriminals can create fake websites to steal personal identifiable information, login credentials, credit card numbers, or other confidential data. If scanning a QR code opens a form asking for personal details, especially in a public space, consider it a red flag and think twice before entering anything. Always verify that the site uses a secure HTTPS connection and that the domain name is correct and trusted. You can also search for the site online for verification. 

4. Do Not Download Files from QR Codes 

QR codes can take you to websites asking you to download files, especially software or apps. While this might seem convenient, it is a common method used by cybercriminals to install malware. Unless you trust the source, avoid downloading anything it points to. Instead, use official app stores or trusted websites when downloading or installing software. 

 5. Keep Devices Updated and Use Anti-Malware Software 

It is important to make sure that your device and apps stay updated. Those updates often fix security vulnerabilities that cybercriminals could exploit. Additionally, installing anti-malware software adds another layer of security and can help detect and block potential threats before they cause harm. 

Stay Safe and Stay Aware  

Using QR codes to deliver attacks remains a common and growing threat in 2025. This technology has become a part of everyday life, and most people use it without a second thought. That convenience also makes QR codes an easy target for cybercriminals. As technology advances, so do the tactics used to exploit it. That is why staying alert matters. Taking a moment to check a link can help you avoid much bigger problems. 

Author: The Safeguards Consulting, Inc. Cybersecurity Team