iFlock Blog – iFlock Security Consulting

QR Code Scams: The Quiet Comeback No One Saw Coming 

Written by Karrie Westmoreland | Jul 25, 2025 8:39:06 PM

By: Karrie Westmoreland

QR codes were the unassuming heroes of the pandemic. No menus? No problem—just scan. Need to check in, download, verify, or pay? There’s a code for that. They were fast. Frictionless. Ubiquitous. 

And cybercriminals noticed. 

In 2024 and 2025, the humble QR code has become one of the most effective social engineering delivery mechanisms out there. They’re simple to deploy, hard to scrutinize, and perfect for bypassing traditional security defenses. 

Welcome to the world of quishing—QR code phishing. 

 How Quishing Works (and Why It’s So Effective): 

Let’s say you’re walking into your office building. A poster on the wall says your VPN client needs an urgent update. Scan the QR code to install the patch. 

Seems official. Branded. Convenient. 

You scan the code on your personal phone—because hey, it’s your phone—and a site opens, slick and familiar. You tap to log in with your work credentials. 

Except that site? It’s fake. And you just handed your credentials over to an attacker. 

That’s quishing in action. 

Other flavors include: 

  • Fake invoices sent to your inbox with a QR code linking to a “receipt portal.” 
  • QR stickers pasted over real restaurant codes, leading to fake payment sites. 
  • Physical parking tickets placed on windshields with QR codes to “pay the fine.” 
  • IT support messages (via email, SMS, or even Slack) prompting users to “verify access” via a QR. 

 

Once you scan, the trap is sprung. 

Why QR Attacks Work So Well: 

  1. They Bypass Email Security Filters 
    QR codes embedded in emails or PDFs can sidestep link scanning, firewalls, and spam filters. There's nothing suspicious in the message—until the QR leads you outside the castle. 

  2. They Exploit Personal Devices 
    Most users scan with their phones—not their work computers. That means attackers bypass endpoint detection tools, URL filters, and other corporate defenses entirely. 

  3. They Look Legitimate 
    A QR code doesn’t raise the same red flags as a sketchy URL or unknown attachment. Plus, many users assume the physical presence of a code means it's been vetted. Spoiler: it hasn’t. 

  4. They Blend Physical and Digital 
    Social engineering thrives when trust is assumed. A printed poster or a real-world item feels authentic—especially when it’s branded, timed (e.g., “required by July 15”), or placed in a familiar space. 


The Psychology of QR Trust: 

Unlike email phishing—where skepticism is (finally) increasing—QR codes haven’t triggered the same mental alarms. 

There’s a curious psychological loophole here: when something appears in the physical world, our brains treat it as more trustworthy. Posters, flyers, signs—they feel real. And if you’ve ever scanned a QR code on a receipt without blinking, you’ve felt this too. 

Attackers are exploiting that split-second of blind trust. 

 

What Quishing Looks Like in the Wild: 

Here are a few true-to-life scenarios that made headlines or quietly infiltrated companies: 

  • Fake restaurant menus: A string of cafes in Spain reported fake QR stickers over real menus, rerouting customers to payment portals that skimmed credit card details. 
  • In-store scams: A global retailer found malicious QR stickers placed on self-service kiosks, tricking users into logging into cloned loyalty portals. 
  • Corporate email attacks: Employees received urgent “account suspension” notices with QR codes to verify credentials, bypassing email filters designed to block suspicious links. 

 

These aren't theoretical. They happened. And they're accelerating. 

How to Defend Against Quishing (Without Ditching QR Codes Entirely): 

Let’s be honest: QR codes aren’t going away. But trust? That’s got to be earned, not assumed. 

Here’s how to stay ahead: 

  1. Train employees to pause and think before they scan. Especially when the source is unclear or the QR arrives via email, text, or Slack.

  2. Digitally verify physical signage. If your organization uses printed materials with QR codes, have a way to verify legitimacy—like a corporate intranet list of active QR links.

  3. Use branded, secure URLs. Instead of generic short links, use URLs that clearly belong to your organization, so users can spot fakes more easily.

  4. Invest in mobile threat detection (MTD). If employees use phones to access work apps or data, MTD tools can detect malicious redirects, apps, and behaviors.

  5. Design for suspicion, not convenience. Build a culture where people expect to verify—whether it’s a voice call from the CEO or a QR code on the fridge. 


 

In Summary: 

QR codes aren’t the enemy. But assuming they’re harmless? That’s a mistake. 

Just like email and SMS, QR is now part of the attacker’s toolkit. And the moment we forget that—or treat scanning as a low-risk action—we give threat actors exactly what they want. 

The scam isn’t in the code. It’s in the trust. 
View full post