Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
The QR code in your email or attachment could be a scam.
QR code phishing bypasses MFA, leading to data theft.
How quishing attacks work, and what you can do to stay safe.
Ever had a QR code land in your inbox and curiosity get the better of you?
When we think of phishing and scams, many of the oldest tricks are those we still encounter daily -- emails claiming we have long-lost relatives who've left us an inheritance; 'Facebook' warning that our accounts will be frozen unless we reply promptly; fake lottery wins; and unwanted solicitations from so-called investors willing to transfer us millions of dollars.
Also: Mobile phishing is a bigger threat than email now
However, times are changing. Recruitment scams are becoming sophisticated enough to convince job seekers to engage; AI is being used to humanize and improve phishing attempts and even automate entire attack chains; and now, an attack vector is emerging that weaponizes QR codes to bypass multi-factor authentication (MFA), steal our data, and hijack our accounts.
Quishing: QR fraud on the rise
Quishing, or QR code-based phishing, embeds malicious links in QR codes to bypass traditional phishing filters and slip through security nets. The lure is the same: create a sense of urgency, appeal to our greed, instill fear and panic, or promise rewards for scanning the QR code with our phones and clicking the embedded link to visit an online page or platform.
Also: Microsoft goes all in on new AI-powered Windows security strategy
A QR code phishing scheme can take many forms. A fake message from your bank, an email congratulating you on a lottery win, or an urgent message from your social media provider. Once you've scanned the code and clicked the link, you could end up in a domain designed to steal your data or compromise an account you own.
According to Hoxhunt's 2026 Phishing Trends Report, basic QR-code phishing messages via email are on the decline, but they are re-emerging as an attack vector hidden in scam email attachments, such as in malicious PDFs.
Overall, QR code phishing attacks increased by 25% year-over-year. It's not just digital spaces, either, as QR codes have also been spotted in physical spaces, embedded in posters or emblazoned on fake business cards, according to the report.
How attackers dodge MFA defenses
Hothunt's research is supported by a June notice from Google's Trust & Safety team warning that traditional email attack vectors are being replaced by adversary-in-the-middle (AITM) and quishing attacks.
Quishing pairs with AITM by disguising malicious links in a format that's hard to read or detect by security filters. According to both Google and Microsoft, this is how it works: You receive a quishing email, and curiosity lures you into scanning the code. You are then sent to a cloned website that appears to be the domain of a trusted service, such as a bank, financial services provider, or even a work platform.
Also: How to make a QR code for free
You then submit your credentials, allowing the attacker to bypass existing multi-factor authentication (MFA) protections because you believe you are logging into a trusted website. They can then capture your password and session token, leading to data theft, account compromise, and more.
What makes this tactic more dangerous than traditional phishing, especially for businesses, is that victims use their handsets to scan a QR code, bypassing network-based security and safety nets, such as phishing detection.
The Microsoft Defender team has observed QR code-based cybercriminal campaigns growing from 10% to 30% of total phishing campaigns in recent months.
How to avoid falling for QR-code phishing
As QR codes hide destinations, links, and content in an image-like format, we can't see what is in them or verify their origins easily -- which is why blindly scanning and following a QR code is risky.
QR codes, especially those you aren't expecting, should be treated with the same suspicion as emailed links or attachments. Just because the format is different, the phishing angle remains the same: to coerce or exploit a victim's curiosity and lure them into clicking and visiting a malicious online resource. The only difference here is the delivery mechanism -- instead of a straightforward link or file, a victim uses a camera to scan.
Also: The best malware removal software: Expert tested and reviewed
The best advice here is to stay cautious. If you receive an email containing a QR code that appears to be from your bank, visit your bank's official website in a separate tab or open your bank's mobile app. Even if a message seems legitimate, for safety and security, you should not click links, open attachments, or scan QR codes unless you are completely sure the source is legitimate and the message's contents are safe.
Keep in mind, too, that QR code threats aren't limited to emails. See that QR code sticker slapped on a lamp post near your favorite store? Even physical QR code stickers can harbor a serious threat to your privacy and security.
View original source — ZDNet ↗


