Types of QR code fraud risks: your 2026 guide
TL;DR:
- QR code fraud exploits methods like phishing and session hijacking, with over 11,000 malicious codes detected daily. Attackers use techniques such as Quishing, cloning, QRLjacking, and malicious commands to bypass defenses and target users physically and digitally. Combining user vigilance with monitoring tools is essential to protect devices, finances, and brand reputation.
QR code fraud risks are the methods attackers use to exploit QR codes for phishing, malware delivery, session hijacking, and financial theft. Security researchers now record over 11,000 malicious QR codes detected daily, and the share of phishing campaigns using QR codes has risen from under 1% in 2021 to roughly 12% by 2023. The core attack categories have industry names: Quishing, QRLjacking, and QR code cloning. Each exploits a different vulnerability, whether technical or behavioural. Understanding the types of QR code fraud risks gives you the knowledge to protect your devices, your finances, and your business.
1. What are the main types of QR code fraud risks?
QR code fraud covers four primary attack categories: Quishing (QR phishing), QR code cloning, QRLjacking (session hijacking), and malicious command or download attacks. Each method targets a different weakness. Quishing exploits email and document trust. Cloning exploits physical context. QRLjacking exploits app authentication flows. Malicious downloads exploit device permissions. Knowing which type you face determines the right defence.
Up to 80% of Quishing attacks evade detection because attackers use new, unindexed infrastructure that reputation filters have never seen before. That figure explains why technical defences alone are not enough. Human awareness is the critical second layer.
2. What is Quishing and how does it trick victims?
Quishing is QR code phishing. An attacker embeds a malicious QR code inside an email, PDF, or printed document, directing the victim to a fake login page designed to steal credentials or install malware. The term combines “QR” and “phishing” and is now the recognised industry label for this attack class.
Traditional email security gateways cannot decode QR codes inside images. They parse text, not data matrices, so a QR code embedded in an attached PDF passes straight through filters that would catch a malicious URL typed in plain text. This creates a significant blind spot for organisations relying on legacy gateway protection.
Advanced Quishing campaigns go further. Attackers embed QR codes inside PDFs or Word documents, attaching them to emails that appear to come from trusted senders such as HR departments or finance teams. Once the victim scans the code, the attack chain can lead to full credential compromise in under six minutes.
Some campaigns personalise the attack. Attackers encode the victim’s email address in base64 within the QR code URL, so the fake login page pre-fills the victim’s address. This makes the scam look far more credible and significantly increases the success rate.
- Fake Microsoft 365 or Google Workspace login pages are the most common Quishing destinations.
- Attackers frequently use multi-factor authentication (MFA) bypass techniques alongside Quishing to capture session tokens, not just passwords.
- Quishing emails often impersonate payroll notifications, parcel delivery alerts, or IT security warnings to create urgency.
- The victim’s personal mobile device, used to scan the code, sits outside corporate network protection.
Pro Tip: If an email asks you to scan a QR code rather than click a link, treat it with the same suspicion you would give an unexpected password reset request. The format change is deliberate.
3. How cloning attacks manipulate QR codes in public spaces
QR code cloning means placing a fraudulent code over or beside a legitimate one in a physical location. The attacker prints a sticker with their own QR code and pastes it on top of a genuine code at a parking meter, restaurant table, shop counter, or public notice board. The victim scans what appears to be an official code and is redirected to a fraudulent payment page or credential-harvesting site.
Users cannot read QR code contents before scanning, so they rely entirely on the physical context to judge whether a code is trustworthy. Attackers exploit this trust directly. A code stuck to a council parking meter looks official. A code on a restaurant table looks like the menu. The physical environment does the social engineering.
The consequences of scanning a cloned code range from diverted payments to full identity theft. In payment contexts, victims enter card details on a convincing fake checkout page. In credential contexts, they log in to a spoofed site and hand over usernames and passwords.
- Inspect the physical code before scanning. Look for stickers placed over an original printed code, misaligned edges, or a different visual style from surrounding materials.
- Check the URL your scanner previews before you open it. A parking payment URL should match the official council or operator domain.
- If a QR code in a public space asks for payment, verify the destination domain against the official website of the business or authority.
- Report suspicious codes to the venue or authority responsible for the location.
Pro Tip: Gently run your finger over a QR code in a public space. A sticker overlay often has a raised edge you can feel before you scan.
4. What is QRLjacking and its risks to user authentication?
QRLjacking is a session hijacking attack that targets applications using QR codes for login. Many apps, including messaging platforms, display a QR code on a desktop login screen. The user scans it with their authenticated mobile app to log in without typing a password. Attackers clone this login QR code and trick the victim into scanning the attacker’s version instead, transferring the session token to the attacker’s device.
Researchers have found over 35,000 QR codes containing Telegram deep links used for session hijacking. Telegram is one example, but any application that uses QR codes for authentication is a potential target. The attack bypasses standard password defences entirely because no password is involved.
- The attacker generates a fresh login QR code from the target application.
- They embed it in a phishing page that mirrors the real login interface.
- The victim scans it, believing they are logging in to the legitimate service.
- The attacker’s session is authenticated instead, giving them full account access.
- The victim sees no error and may not realise the account has been compromised.
QRLjacking is particularly dangerous because it can defeat MFA. The session token transferred to the attacker is already authenticated, so additional verification steps have already been completed by the victim.
5. Malicious downloads and hidden commands triggered by QR codes
QR codes do not only open web pages. Modern mobile devices support QR code actions including initiating phone calls, sending pre-written text messages, joining Wi-Fi networks, and triggering in-app payment flows. Each of these actions expands the attack surface beyond simple credential theft.
A malicious QR code can silently connect a device to an attacker-controlled Wi-Fi network, enabling traffic interception. Another can initiate a premium-rate phone call. A third can trigger an automatic app download from a third-party source outside the official app stores.
Dynamic QR codes let attackers change the destination URL after the code has already been printed and distributed. A code that pointed to a legitimate site at the time of printing can be silently redirected to a malware download page weeks later. Static URL reputation checks become useless against this method.
| Attack method | How it works | Why it evades detection |
|---|---|---|
| Static malicious URL | Code points directly to a known bad domain | May be caught by URL reputation filters |
| Dynamic URL redirect | Destination changed after distribution | Reputation checks only see the original, clean URL |
| URL shortener routing | Legitimate shortener masks the final destination | Trusted domain passes gateway filters |
| Cloud storage redirect | File hosted on Google Drive or OneDrive | Trusted platform bypasses content filters |
Attackers also route QR code URLs through trusted domains such as URL shorteners or cloud storage services. The gateway sees a reputable domain and allows the request through. The victim’s device then follows the redirect to the malicious final destination.
6. How to identify and protect yourself from QR code security threats
Protecting yourself from QR code fraud requires a combination of technical tools and consistent habits. No single measure covers every attack type. The most effective approach layers behavioural checks on top of technical controls.
- Preview the URL before opening it. Most modern smartphone cameras and dedicated scanning apps such as Kaspersky QR Scanner display the destination URL before launching it. Never skip this step.
- Distrust urgency. Quishing and cloning attacks almost always create time pressure. A parking meter that “expires in two minutes” or an email warning your account “will be suspended today” are pressure tactics designed to stop you thinking clearly.
- Avoid entering credentials on QR-driven sites. If a QR code takes you to a login page, navigate to that service directly through your browser instead. This eliminates the risk of landing on a spoofed page.
- Check physical codes for tampering. Look for sticker overlays, misaligned printing, or codes that appear inconsistent with the surrounding materials.
- Use MFA on all accounts. While QRLjacking can bypass MFA in some scenarios, hardware security keys such as those from Yubico remain resistant to session token theft.
- Keep mobile operating systems updated. Patched devices are harder to exploit through malicious app downloads triggered by QR codes.
Businesses running QR code campaigns should monitor their codes actively. Scan analytics can reveal unexpected spikes in traffic from unusual locations, which may indicate a cloned or hijacked code. Qrlytics provides real-time scan tracking that helps businesses spot anomalies before they escalate.
Pro Tip: For business QR codes printed on physical materials, use a dynamic code from a trusted platform. If a code is ever compromised, you can update the destination URL without reprinting a single poster or leaflet.
For a broader view of QR data privacy in campaigns, the Qrlytics blog covers GDPR-compliant practices and how to structure campaigns that protect both your customers and your brand.
Key takeaways
QR code fraud exploits the fundamental fact that users cannot read a code’s content before scanning it, making awareness and verification the most reliable defences.
| Point | Details |
|---|---|
| Quishing bypasses email gateways | QR codes in PDFs and images evade text-based filters, so treat any emailed QR code with suspicion. |
| Cloning targets physical trust | Inspect public QR codes for sticker overlays before scanning, especially at payment points. |
| QRLjacking steals sessions, not passwords | Apps using QR code login are vulnerable; only scan login codes from verified, official interfaces. |
| Dynamic codes can change destination | A code that was safe when printed may not be safe later; use platforms with destination monitoring. |
| Layered defences work best | Combine URL preview habits, MFA, updated devices, and scan analytics to cover all attack types. |
QR code fraud is outpacing most defences
The thing that strikes me most about QR code fraud is how elegantly it sidesteps the security habits people have spent years building. You have trained yourself not to click suspicious links in emails. You know to check the sender address. You look for the padlock in the browser. None of that helps when the threat is a small square of pixels on a piece of paper.
The shift from email links to QR codes is not accidental. Attackers moved there precisely because our defences had not caught up. Legacy gateways cannot read data matrices. Corporate security perimeters do not extend to personal mobile devices. And the human brain, faced with a physical object in a trusted environment, extends a level of trust it would never give to a cold email.
What concerns me most is the dynamic redirect problem. A business prints 10,000 leaflets with a QR code pointing to a perfectly legitimate page. Six months later, the code management platform changes hands, gets compromised, or simply redirects to a malicious site. The business has no idea. The printed materials are still in circulation. This is not a hypothetical. It is a structural weakness in how most QR code infrastructure is built.
The answer is not to stop using QR codes. They are genuinely useful. The answer is to use them with the same discipline you apply to any other digital asset: know where they point, monitor them actively, and retain the ability to change the destination if something goes wrong. Human vigilance matters, but it needs to be backed by tools that give you real visibility.
— The
Qrlytics: QR code tools built with security in mind
Understanding QR code fraud is the first step. The second is making sure the codes you create and distribute are not part of the problem.
Qrlytics gives you full control over your QR codes from creation through to ongoing monitoring. The free QR code generator lets you create codes instantly without a credit card. The dynamic QR code generator lets you update destinations at any time, so you are never locked into a URL that could become a liability. Real-time scan analytics flag unusual activity, giving you early warning if a code is being misused. Every code created during an active Qrlytics subscription remains functional permanently, removing the risk of broken links that attackers exploit. For businesses running QR campaigns at scale, that combination of control, visibility, and permanence is a meaningful security advantage.
FAQ
What is Quishing?
Quishing is QR code phishing. Attackers embed malicious QR codes in emails, PDFs, or printed materials to direct victims to fake login pages or malware downloads.
How can I tell if a QR code is safe before scanning?
Use a scanning app that previews the destination URL before opening it, and check the URL matches the expected domain. Inspect physical codes for sticker overlays.
Can QR codes install malware on my phone?
Yes. A QR code can link to a malicious app download or trigger device commands. Keeping your mobile operating system updated reduces the risk of exploitation.
What is QRLjacking?
QRLjacking is a session hijacking attack where an attacker tricks a victim into scanning a cloned login QR code, transferring the authenticated session to the attacker’s device.
How do dynamic QR codes create security risks?
Dynamic QR codes allow the destination URL to be changed after the code is printed. Attackers use this to redirect a previously safe code to a malicious site, making one-time reputation checks ineffective.