QR Codes and Cybersecurity: Understanding Quishing and Safe Scanning Practices

A QR (Quick Response) code is a two-dimensional matrix barcode that stores data as a pattern of black and white square modules arranged on a grid. Unlike the one-dimensional barcodes on retail products that encode data only horizontally, QR codes encode data in both dimensions, enabling much higher data density. The visual structure includes finder patterns — three distinctive square-in-square patterns in three corners — that allow scanning devices to detect the code's orientation and alignment regardless of rotation or angle. A quiet zone (blank white border) around the entire code is required for reliable detection by scanning software.

QR codes support four levels of error correction that determine how much physical damage the code can sustain while remaining scannable: Level L allows 7% of the code's modules to be damaged or obscured, Level M allows 15%, Level Q allows 25%, and Level H allows 30%. Higher error correction levels use more modules for redundancy and correspondingly reduce the maximum data capacity. QR code versions range from 1 (21x21 modules) through 40 (177x177 modules), with higher versions supporting larger data payloads. URL-encoding QR codes typically use version 3-7 depending on the URL length and error correction level selected. The combination of version and error correction level determines the physical appearance and data capacity of the resulting code.

• QR codes use both horizontal and vertical encoding for higher data density than 1D barcodes
• Finder patterns in three corners enable scanning from any rotation angle
• Error correction levels: L (7%), M (15%), Q (25%), H (30%) — higher levels survive more physical damage
• Versions 1-40 determine grid size and data capacity — URL QR codes typically use version 3-7
• Quiet zone (blank border) is required for reliable detection by all scanning software

Quishing is the term for QR code phishing: the combination of a QR code with a malicious destination URL designed to steal credentials, install malware, or commit fraud. The name combines QR and phishing. Quishing attacks exploit a fundamental property of QR codes from an attacker's perspective: the encoded URL is completely invisible to a human looking at the QR code image. Unlike a hyperlink in an email, where a security-conscious user can hover over the link to preview the destination URL before clicking, a QR code provides no visual indication of where it leads. This invisibility is the core security problem that makes QR codes an attractive attack delivery vehicle.

The FBI issued a public service announcement in January 2023 warning the public of a significant increase in quishing attacks, noting that cybercriminals were tampering with physical QR codes in public locations and using malicious QR codes in email and text message campaigns. The FBI specifically highlighted that attackers were using quishing to redirect victims to fraudulent sites that captured login credentials, installed malware on mobile devices, and redirected financial transactions to attacker-controlled accounts. The warning noted that even well-informed users who are careful about clicking links in emails may not apply the same scrutiny to QR codes, creating an effective social engineering advantage for attackers.

• Quishing: QR code phishing — malicious URL encoded in a QR code that appears visually innocuous
• Core security problem: the encoded URL is invisible to humans — no hover preview possible
• FBI January 2023 warning: significant increase in quishing attacks reported across multiple sectors
• Attack goals: credential harvesting, malware installation, financial fraud
• Social engineering advantage: users apply less scrutiny to QR codes than to text hyperlinks

Physical QR code tampering has been documented in several real-world incidents. In January 2022, the city of Austin, Texas issued an alert about malicious QR code stickers placed over legitimate QR codes on parking payment meters across the city. Similar incidents were reported in San Antonio and Houston. Drivers who scanned the tampered codes were directed to fraudulent payment sites designed to capture credit card information and personal details. The physical overlay attack is particularly effective because the counterfeit QR code sticker is visually indistinguishable from a legitimate one, and users have no mechanism to detect the substitution without inspecting the sticker itself for signs of overlay.

Email-based quishing campaigns have become a significant concern for enterprise security teams because they bypass a common email security control. Many organizations deploy email security gateways that scan all URLs contained in hyperlinks in incoming email and block messages containing malicious URLs. QR code images in email are typically processed as image attachments or inline images — the security gateway renders them as image files and does not extract and scan the URL encoded within the image. Attackers embed QR codes in email messages directing recipients to Microsoft 365 or Google Workspace login page clones designed to capture credentials. Because the QR code's URL is not evaluated by the email gateway's URL scanner, the malicious message reaches the inbox.

• Parking meter attacks: stickers with malicious QR codes overlaid on legitimate payment meter codes
• Restaurant table tent attacks: malicious QR code stickers placed over legitimate menu QR codes
• Email quishing: QR code images in email bypass URL-scanning security gateways
• Credential harvesting targets: Microsoft 365 and Google Workspace login page clones are most common
• Physical inspection: always look for sticker overlays on public QR codes before scanning

QR codes create several compounding security challenges for users and organizations. The encoded URL is entirely invisible without scanning, removing the primary user-level defense against malicious links. When a user scans a QR code with a smartphone camera app, many devices navigate to the URL with minimal confirmation — particularly on iOS, where tapping the URL preview banner in the camera app launches the browser immediately. The speed of this interaction reduces the time available for the user to evaluate the URL before the browser begins loading the potentially malicious content. Additionally, URLs within QR codes are frequently shortened using services like bit.ly, adding another layer of indirection that obscures the actual destination.

From an enterprise security perspective, QR code scanning on personal mobile devices often occurs outside of any enterprise security monitoring or control. An employee scanning a quishing QR code on their personal smartphone — which may not be enrolled in mobile device management — is entirely outside the visibility of email security gateways, web proxies, and endpoint detection tools that the organization relies on for threat detection. The credential harvesting site may perfectly replicate the organization's corporate login portal, and the employee may enter their username and password on a personal device that the security team has no visibility into, resulting in a credential compromise that is invisible to the organization until misuse is detected.

• URL is invisible without scanning — no visual cue available to users before scanning
• Mobile browser auto-navigation: iOS camera app tapping the URL preview launches immediately
• URL shorteners in QR codes: add obscurity layer on top of the already-invisible QR encoding
• Personal device scanning: outside enterprise security monitoring, MDM, and web proxy controls
• Email gateway bypass: QR code images are not scanned by most URL-scanning email security gateways

Safe QR code handling begins with previewing the destination URL before navigating. The iOS Camera app displays a URL preview banner at the top of the screen when pointing at a QR code — read this URL carefully before tapping. Verify that the domain name matches the expected organization: microsoft.com is legitimate, while micros0ft.com or microsoft-verify.com are not. For Android users, using a dedicated QR scanner app that displays the full URL before opening — rather than the default camera app's immediate navigation behavior — provides an additional review moment. Never scan a QR code received in an unsolicited email, text message, or social media message without first verifying the sender's identity through an independent channel.

In physical environments, inspect QR codes for signs of tampering before scanning. Overlay stickers can sometimes be identified by texture differences, misalignment, or the edges of the sticker being visible at angles. Legitimate QR codes installed by businesses are typically printed directly on permanent signage rather than on removable sticker paper. When a QR code is on sticker paper affixed to another surface — as tampered parking meter codes often are — this warrants extra scrutiny. If the URL revealed by scanning a QR code does not match the context in which the QR code was presented (for example, a parking payment QR code that leads to a different domain than the parking company's website), do not proceed.

• Always read the URL preview before tapping — iOS Camera shows a banner; verify the domain name carefully
• Check the domain carefully: look for typosquatting, extra subdomains, and misleading domain names
• Inspect physical QR codes for sticker overlays — look for sticker edges and texture inconsistencies
• Never scan unsolicited QR codes received in email or text without independent sender verification
• Use a dedicated scanner app that shows the full URL before navigation rather than auto-launching

Organizations should include QR code phishing scenarios in their security awareness training programs and simulated phishing campaigns. Most commercial phishing simulation platforms now support QR code-based simulation templates. Employees who scan simulated quishing codes without verifying the URL are identified for targeted remediation training. Including QR code scenarios alongside traditional link-based phishing simulations ensures that security awareness training reflects the full current threat landscape and does not create a false sense that only hyperlink phishing requires caution.

Technical controls include configuring email security gateways to extract and inspect URLs encoded in QR code images using optical character recognition (OCR) and image analysis capabilities — several enterprise email security platforms including Microsoft Defender for Office 365 and Proofpoint have added this capability. Mobile Device Management (MDM) solutions can restrict which QR scanner applications are permitted on managed devices and can enforce browser security policies that provide additional time for URL review before navigation. Establishing clear organizational policy that financial transactions, credential entry, and sensitive data submission requested via QR code require secondary verification through a known-good channel prevents the most damaging quishing outcomes.

• Include QR code phishing scenarios in security awareness training and simulated phishing campaigns
• Email security gateways: look for OCR-based QR code URL extraction and scanning capabilities
• MDM: restrict unauthorized QR scanner apps and enforce browser security policies on managed devices
• Policy: require secondary verification for financial transactions or credential entry prompted by QR code
• Physical security: regularly inspect QR codes on company premises for unauthorized overlay stickers