Published on July 9, 2026

QR Codes Are the New Security Blindspots That Steal Your Card Details and Deliver Malware


Severity

Medium

Detail

Cybersecurity researchers have warned of a significant rise in quishing (QR phishing) attacks, where cybercriminals abuse QR codes to bypass traditional security controls and trick users into revealing sensitive information or installing malware. As QR codes become increasingly common for payments, authentication, restaurant menus, parking meters, and corporate communications, attackers are exploiting the trust users place in these codes to launch credential theft, financial fraud, and malware campaigns.

Unlike conventional phishing emails that contain clickable hyperlinks, quishing embeds malicious URLs within QR code images making them difficult for users and many email security solutions to inspect before they are scanned. The malicious destination remains hidden until the QR code is scanned with a mobile device that allow the attackers to evade traditional email filtering mechanisms and shift the attack from a protected corporate environment to a user’s personal smartphone.

How?

The attack begins with attackers creating a malicious QR code that directs victims to a fake website or malware download. These QR codes are then distributed through phishing emails, PDF attachments, messaging applications, or physically placed over legitimate QR codes on parking meters, restaurant tables, retail stores, and other public locations.

When a victim scans the QR code using their mobile device, they are automatically redirected to an attacker-controlled webpage impersonating a legitimate service such as Microsoft 365, online banking, payment portals, or corporate login pages. Victims are then prompted to enter usernames, passwords, payment card information, or other sensitive data. In some cases, the QR code initiates the download of malicious applications disguised as legitimate software.

More advanced campaigns combine quishing with Adversary-in-the-Middle (AitM) techniques that allow attackers to intercept authenticated sessions and steal session tokens after users successfully complete Multi-Factor Authentication (MFA). This enables attackers to gain unauthorized access to accounts without requiring additional MFA prompts.

The entire interaction occurs on a mobile device after the QR code is scanned, bypassing many traditional security controls including email gateways, web proxies, endpoint protection, and URL filtering which making quishing an increasingly effective method for credential theft, financial fraud, and malware delivery.

Conclusion

The growing adoption of QR codes in both personal and business environments has made quishing an increasingly attractive attack vector for cybercriminals. Organizations utilizing QR codes or allowing employees to scan QR codes for business purposes are advised to take the following precautions:

  • Deploy email security solutions capable of detecting and inspecting QR codes embedded in emails, images, and PDF attachments.
  • Enforce phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2 security keys or passkeys, to reduce the risk of account compromise.
  • Implement Mobile Device Management (MDM) and Conditional Access policies to secure corporate mobile devices and restrict access from unmanaged devices

Users are advised to take the following precautions:

  • Verify the destination URL before opening websites accessed through QR codes.
  • Avoid scanning QR codes received through unsolicited emails, text messages, or messaging applications.
  • Inspect QR codes in public locations for signs of tampering such as stickers placed over legitimate codes.
  • Use official mobile applications or manually enter trusted website addresses instead of relying on QR codes for payments or account access.

Source

https://cybersecuritynews.com/qr-code-attacks/