Malicious QR code scams

What we know

QR codes are machine-readable images that encode URLs and other data. They are widely trusted because they appear associated with physical objects or official communications. Attackers exploit this trust by embedding URLs that point to phishing sites, malware downloads, or tracking pages. Because the URL is encoded visually rather than as clickable text, many email security gateways and spam filters cannot inspect the destination, making quishing an effective bypass of standard defenses.

Attack scenarios include emails claiming to be from payroll, HR, or IT departments with a QR code to 'update your password' or 'verify your account'; QR codes stuck over legitimate codes on restaurant menus, parking meters, or package delivery notifications; and targeted spear-phishing where specific individuals receive contextually plausible QR codes. The FBI has issued specific warnings about state-sponsored actors (including North Korean Kimsuky group) using QR code phishing in intelligence operations.

Protection requires treating QR codes the same way as links in emails: if unexpected, do not scan without verification. After scanning, inspect the URL in the browser address bar before entering any information. Never enter login credentials immediately after scanning a QR code. Organizations can deploy mobile device management software that evaluates QR-linked URLs before loading them. Report suspicious QR codes to the FBI IC3 or CISA.

Common claims

• QR codes are safe because they come from physical objectsFalse - QR code stickers can be placed over legitimate codes anywhere
• Email security tools catch malicious QR codesOften false - QR images bypass filters that scan text links
• Scanning a QR code cannot install malwareFalse - scanning can direct to drive-by malware download pages

Evidence hierarchy

All sources

• FBI/CISA Advisory on QR Code Phishing (Quishing)FBI IC3 · 2026
• FBI Warning About Malicious QR CodesMichigan Attorney General / FBI · 2023

Related terms