More than 26 million Americans have been directed to malicious sites after scanning QR codes without verification, a practice called “quishing,” engaged in by 73% of the population, according to NordVPN (via CNBC). The Federal Trade Commission and local agencies have issued warnings regarding malicious QR codes in various contexts.
QR codes have transitioned from novelty to common usage for everything from restaurant menus to payment systems, leading to their exploitation by cybercriminals. Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant, stated that QR codes, present on gas pumps, yard signs, and television commercials, are “simultaneously useful and dangerous.” Attackers use these symbols to direct individuals to malicious websites or acquire private information, a scheme known as “qufishing.”
The FTC warned earlier in the year about unsolicited packages containing QR codes that, when scanned, could lead to phishing websites or malware downloads. State and local advisories, including those from the New York Department of Transportation and Hawaii Electric, have alerted customers to these scams. Gaurav Sharma, a professor at the University of Rochester, noted that criminals leverage urgency, posting fake QR code stickers on parking meters or utility bill warnings, expecting individuals to be in a hurry. Sharma anticipates an increase in QR scams as QR code use expands and as safeguards against email phishing improve. A study by KeepNet Labs revealed that 26% of all malicious links are now transmitted via QR code.
Sharma is developing a “smart” QR code, the SDMQR (Self-Authenticating Dual-Modulated QR), with integrated security to counter scams. This requires cooperation from Google and Microsoft, who control camera infrastructure. He cautions against relying on company logos within QR codes for security, as logos can be easily copied. Denise Joyal of Cedar Rapids, Iowa, in her 60s, expressed concerns about security and prefers not to use QR codes, especially when they are the only option for promotions. Institutions are also enhancing QR code security. Natalie Piggush, spokeswoman for the Children’s Museum of Indianapolis, stated that their IT staff began upgrading QR codes several years ago, using stylized codes with the museum’s logo and colors. They also inform users what to expect and regularly inspect codes for tampering.
Museums generally face lower risk than locations like train stations, as scammers primarily seek cash. However, Sharma noted that even in museum settings, fake QR codes could install malware. Malwarebytes research indicates that iPhone users may be slightly more susceptible to QR code scams, partly due to greater device trust. David Ruiz, a Malwarebytes researcher, observed that 70% of iPhone users scanned QR codes for purchases, compared to 63% of Android users.
This trust might lead iPhone users to forgo additional cybersecurity measures; 55% of iPhone users trust their device for security, versus 50% of Android users. A QR code is more hazardous than a phishing email because the embedded web address is generally unreadable and unverifiable. Although QR codes often include human-readable text, attackers can alter this to mislead users. The primary defense against these scams is to avoid scanning unexpected QR codes and to look for codes that display the URL upon scanning.
Brewer confirmed credible reports of nation-state intelligence agencies using QR codes to compromise military personnel’s messaging accounts, including those using Signal. These attackers have distributed remote access trojans (RATs) via QR codes, allowing unauthorized access to devices and networks. Brewer stated, “Legitimate flyers, posters, billboards, or official documents can be easily compromised.
Attackers can simply print their own QR code and paste it physically or digitally over a genuine one, making it nearly impossible for the average user to detect the deception.” Rob Lee, chief of research, AI, and emerging threats at the SANS Institute, noted that QR codes, designed for convenience rather than security, are ideal for scammers. Lee compared it to the well-known tactic of phishing emails, calling it “a low-effort, high-return tactic attackers love to scale.”
