Business Security Tips: QR Code Scams on the Rise


4-minute read time 

A QR code, or quick response code, is a square matrix barcode that can be scanned using your smartphone’s camera. They can store more data than a traditional barcode, making them very versatile. However, they bring with them unique security risks. The tool is sometimes utilized by cybercriminals to increase their success rate, such as in a QR code phishing attack. 

If you’re unfamiliar with QR codes, here is a one we created for you to try out (Please note: This QR code leads to one of our secure blog pages): 


Scan our QR code above to learn more about phishing attacks. 

Table of Contents

QR Code Use Cases

When a QR code is scanned, it allows a user to quickly perform an action. Here are a few use cases you’re likely to encounter: 

Websites & Apps

Many organizations use QR codes to direct a smartphone user to a website page or to download an app from Google Play or the Apple App Store. For example, a user may scan a QR code at their favorite restaurant to view their online menu or their reward system. 

Digital Tickets

Users can easily access their airline boarding passes, concert tickets, and more with QR codes containing their personal information to gain entry. 

Mobile Payments 

QR codes can be used to send payment information during checkout as well as transferring money between users. 

User Authentication 

These codes can be used for two-factor authentication (2FA). Users simply scan a code to confirm their identity when logging into an account. 

Uses for this little square code are seemingly endless, and their popularity has been growing steadily. Insider Intelligence reports that the number of users scanning a QR code “will increase from 83.4 million in 2022 to 99.5 million in 2025.”  

While QR codes are powerful and convenient tools, they also pose a significant security risk to individuals and organizations. These risks make it essential that individuals know what to look for to avoid falling for a cybercriminal’s tactics. 

Malicious Intent

QR codes can be malicious thanks to cybercriminals who have adopted them to exploit or harm users. Their goal is to compromise your sensitive information, such as:

  • Your financial data 
  • Your login credentials
  • Your personal information 

One of the reasons this attack method is successful is because many people are completely unaware that they could be scammed when interacting with a code.  

Types of QR Code Scams

Malware Distribution

Cybercriminals often use QR codes to direct users to malicious websites containing malware. Examples of malware include viruses, ransomware, spyware, and Trojans. Malware allows cybercriminals to accomplish a variety of goals, but generally center around these three tasks: 

  • Enabling attacker remote control to use an infected device 
  • Sending spam from infected devices to unsuspecting targets 
  • Review infected user’s local network 

By navigating to a malicious site, users unwittingly give malware access to damage their device, their personal information, and more. 

Payment Fraud 

As previously mentioned, many organizations use QR codes to provide information to consumers. They also use them to collect payments for goods and services. For example, some parking meters use a code to direct consumers to a payment website. 

In a payment fraud situation, a criminal covers up the organization’s original QR code with their fraudulent one. The code left by the cybercriminal will direct the user to their site – so the user pays them instead of the intended organization. 

QR Code Phishing 

Phishing attacks are initiated by cybercriminals attempting to gain personal information (e.g., login credentials, credit card numbers, etc.) by impersonating a reputable organization. This social engineering attack is often conducted through emails. However, other messaging tactics can be used – such as text messages (smishing) and phone calls (vishing). 

Sometimes cybercriminals add a QR code to their phishing emails to direct users to a malicious site – instead of using links or buttons.  

Phishing emails with QR codes make it impossible for users to verify the legitimacy of the site prior to visiting it and harder for security software to detect. These risks make it essential to know how to identify phishing emails and protect yourself, and your organization, from malicious QR codes. 

Real-life QR Code Phishing Email Example We Intercepted:

Microsoft 2FA

Please note: We blurred out the QR code as a safety precaution.  

Like other phishing methods, the messaging in this email tries to manipulate the email recipient:  

  • The email fraudulently poses as a well-known brand (Microsoft)  
  • It includes a sense of urgency (2 days to scan QR code) 
  • It provides a consequence for not following through with their request (account interruption) 

These tactics increase cybercriminals’ success rate. So, ensure you take note when you receive an email that has high levels of immediacy and requests that you take action. 

How to Protect Your Business from QR Code Phishing

Recently, our cybersecurity experts have seen a rise in QR code phishing emails being sent. To minimize your QR code risk, use good cyber hygiene to better protect yourself and your organization. Here’s 6 essential tips to share with your coworkers: 

Do Not Scan Codes

The best way to mitigate risk is to not scan any QR codes – especially on business smartphones. Instead, navigate to the site you want to interact with or pay for goods and services directly. 

Look Closely

If you are considering scanning a physical QR code (on a window, meter, sign, etc.), look closely at it to ensure that it has not been tampered with. Keep in mind that just because you verify it is the only code there, it does not mean that it is not malicious. A cybercriminal may have placed their code in a location where none previously existed. 

Confirm QR Code Legitimacy

If you receive a code from someone you believe you know, reach out to them directly with their known contact information to verify it is safe and not from an cybercriminal (i.e., a phone number you use regularly to speak with them).  

Review Web Address

Once you scan a QR code, review the web address to ensure it is the site you expect – with the proper spelling and punctuation.  

Be Cautious with Personal Information

Think twice before entering personal information, login credentials, or financial information into a site that you navigated to from a QR code. If you receive a message that requests you complete a payment through a QR code, it’s safer to manually navigate to the organization’s website or call to process the payment. 

Avoid Downloading Apps

Instead of downloading an app from a QR code, it is much safer to navigate to your phone’s app store. App stores have processes and systems in place to ensure apps are safe for download. In the same vein, avoid downloading QR code scanner apps. Use the one that comes with your phone’s operating system. 

How to Report QR Code Fraud

If you or your organization experiences QR code fraud, report it to the FBI as soon as possible. To submit your report, contact your local FBI field office and the FBI Internet Crime Complaint Center

Learn More About Phishing

Check out our ultimate phishing guide to learn more about other phishing attacks and how to boost your organization’s security. 

    Filter articles

Latest Articles

Contact us to get started today!

Call us at (703) 740-9797 or fill out the form below to schedule your free consultation. We will get back to you shortly.

*All fields are required.

This site uses cookies to optimize functionality and give you the best possible experience. If you continue to navigate this website beyond this page, cookies will be placed on your browser. To learn more about cookies, click here.