A guide to understanding and avoiding a new type of cyberattack that targets both individuals and organizations


QR codes are everywhere in our modern lives, easily linking us to restaurant menus, websites, and apps with a quick scan from our phones. However, as we use QR codes more often, we also face more risks from attackers. This is how QR code phishing works and how it’s becoming more common.

QR code phishing, also known as quishing is a type of cyberattack that has been growing steadily in popularity. In fact, according to one report, one QR phishing campaign increased by 2,400% since May 2023.

This article will teach you how to identify and prevent QR Code phishing.

What is QR Code Phishing?

QR codes are square-shaped images that contain information such as URLs, contact details, or payment information. They are often used to simplify and speed up the process of accessing websites, making payments, or sharing information. However, they can also be used by cybercriminals to trick you into visiting malicious websites, downloading malware, or giving away your personal or financial information. This is called QR code phishing, and it is a new type of cyberattack that targets your smartphone.

QR code phishing works by exploiting the trust and convenience that QR codes offer. You may scan a QR code that you see on a poster, a flyer, a product, or a website, expecting it to take you to a legitimate site or service. However, the QR code may have been tampered with or replaced by a hacker, and it may redirect you to a fake site that looks like the real one. There, you may be asked to enter your login credentials, your credit card details, or other sensitive information. Alternatively, the QR code may download a malicious app or file on your phone, which can compromise your device and data.

Example of what a QR Code scam looks like

5 Common Scenarios of QR Code Scams

QR code email scam

Scammers often send phishing emails with QR codes in them. This method is called “quishing.” These emails will pretend to be from a reputable company and ask you to scan the QR code in their email. For example, they may say that your payment for an online order was unsuccessful, and you need to scan the QR code to enter your credit card information again. If victims scan the QR code, they will go to a website that looks legitimate, and enter their payment information. Then, the cybercriminal will have their credit card information.

QR code payment scam

QR codes can be used by legitimate businesses for contactless payments. Using QR codes for payments became very popular during the peak of the COVID-19 pandemic since it allowed customers to buy things without touching card readers, reducing the risk of infection. However, scammers can put QR codes in public places to take your money or credit card information. For example, criminals have put signs in parking lots telling people that they can scan the QR code to pay for parking. The QR code would take drivers to a website that looked real but wasn’t

QR code package scam

If you ever get a strange package in the mail with a QR code, don’t scan it. In this kind of QR code fraud, criminals will send you a package in the mail that you never ordered. There’s a QR code inside the package (or on the box) that you can scan to get more details about the order or to send your order back. The QR code will take you to website that asks you to enter your personal information, like your credit card number.

QR code cryptocurrency scam

QR codes are often used for crypto transactions. However, criminals can use QR codes to steal cryptocurrency from victims. They may contact you offering a “giveaway” that says you can get twice the crypto if you send them crypto first. However, you’ll never get any crypto back. Scammers may also invite you to join an “investment” and ask you to send them crypto. These scammers disappear with your crypto and you’ll probably never hear from them again.

QR code donation scam

Scammers may copy a charity or make a fake charity to take your money or credit card information. They may put QR codes on flyers or send them to you through text or email asking you donate money to a cause.


How to Avoid QR Code Phishing?

QR code phishing can be difficult to spot, as you may not be able to see the URL or the destination of the QR code before you scan it. However, there are some steps you can take to protect yourself and your smartphone from this danger. Here are some tips to avoid QR code phishing:

  • Be cautious where you scan. Only scan QR codes from reliable sources, such as official websites, products, or services. Don’t scan QR codes from unknown or dubious sources, such as unwanted emails, messages, or ads.
  • Use a QR code scanner app that has security features. Some QR code scanner apps can identify and warn you if a QR code is harmful or leads to a phishing site. You can also use a QR code scanner app that lets you preview the URL or the content of the QR code before you open it.
  • Check the URL or the site before you enter any information. If you scan a QR code and it takes you to a website, make sure that the URL matches the expected site and that it has a secure connection (https). Look for any signs of phishing, such as spelling mistakes, poor design, or unusual requests.
  • Do not download or open any files or apps from QR codes. QR codes should not ask you to download or install anything on your phone. If a QR code asks you to do so, do not continue and delete the file or app right away.
  • Keep your phone and apps updated. Make sure that your phone and apps have the latest security patches and updates, which can help you prevent malware infections and phishing attacks.

How Microsoft Technologies Can Help?

Microsoft offers a range of technologies and solutions that can help you stay safe from QR code phishing and other cyberthreats. Some of these include:

Microsoft 365 Defender.  This is an enterprise grade security solution that provides best in class mail filtering. It can identify threats, including quishing, and quarantine the malicious messages before they reach your inbox.

Microsoft Defender for Endpoint. This is a cloud-based security solution that provides comprehensive protection for your devices, data, and identity. It can detect and block malicious QR codes, websites, apps, and files, and it can alert you of any suspicious or risky activities on your phone.

Microsoft Authenticator. This is an app that enables you to use two-factor authentication (2FA) for your online accounts, which adds an extra layer of security to your login process. It can also scan QR codes and verify their authenticity, and it can generate secure passwords for your accounts.

Microsoft Edge. This is a web browser that has built-in security and privacy features, such as SmartScreen, Tracking Prevention, and InPrivate mode. It can warn you of any phishing or malicious sites that you may encounter, and it can block unwanted ads and trackers.



By following these tips, you can enjoy the benefits of QR codes without putting yourself at risk of QR code phishing. Remember, always think before you scan, and stay vigilant of any suspicious or unexpected QR codes.

If you want to bolster your cybersecurity, feel free to reach out to Softlanding. We have a number of services or solutions to help you prevent, detect and remediate phishing attacks

Written By:


Softlanding is a long-established IT services provider of transformation, professional services and managed IT services that helps organizations boost innovation and drive business value. We are a multi-award-winning Microsoft Gold Partner with 13 Gold Competencies and we use our experience and expertise to be a trusted advisor to our clients. Headquartered in Vancouver, BC, we have staff and offices in Toronto, Montreal and Calgary to serve clients across Canada.

More By This Author