QR codes, once a convenient tool for menus and check-ins, have become a growing cybersecurity threat as cybercriminals ramp up “quishing” attacks. The Federal Trade Commission and cybersecurity experts are warning Americans that QR code scams are spreading rapidly, targeting unsuspecting users with malware and phishing links.
Quishing—a blend of “QR” and “phishing”—involves hackers disguising malicious websites behind scannable QR codes. These codes can be placed on everyday items such as parking meters, utility bills, or even fake packages. Once scanned, they can steal personal information or install harmful software on smartphones.
Dustin Brewer of BlueVoyant explained that attackers rely on users’ urgency and trust, particularly when QR codes are linked to payments or transportation. CNBC reports that over 26 million Americans have already been redirected to malicious sites by scanning fake QR codes. NordVPN found that 73 percent of Americans scan codes without verifying their authenticity.
A study by KeepNet Labs revealed that 26 percent of all malicious links now come through QR codes. As traditional email-based phishing loses effectiveness due to increased filters, QR-based attacks are becoming the preferred method for cybercriminals. Professor Gaurav Sharma from the University of Rochester is working on secure alternatives, including a new format called SDMQR, which could prevent tampering—but adoption depends on tech giants like Google and Microsoft.
Some institutions, such as the Children’s Museum of Indianapolis, have begun countering the threat by customizing their QR codes with logos and regularly inspecting them. But overall, both Android and iPhone users remain vulnerable, with iPhone users potentially more so due to their higher trust in the device’s built-in protections.
Experts recommend scanning only trusted codes, avoiding public or unverified codes, and requesting replacements when necessary. Vigilance is the best defense.
