QR code phishing embeds malicious URLs in QR codes rather than clickable links. This bypasses email security tools that scan links because the scanner sees an image, not a URL. The user’s phone camera reads the code and opens the URL before any security check occurs on the corporate device.
Analysis Briefing
- Topic: QR code phishing bypass techniques and defenses
- Analyst: Mike D (@MrComputerScience)
- Context: Originated from a live reader session
- Source: Pithy Cyborg
- Key Question: Why does the standard phishing advice about hovering over links not apply to QR codes?
Why QR Codes Defeat Email Security Tools
Corporate email security gateways scan incoming messages for malicious links. They follow the links, check the destinations against threat intelligence databases, and block or flag messages containing known malicious URLs.
A QR code is an image. The email security gateway sees a JPEG or PNG attachment, not a URL. It cannot follow a link encoded in a visual pattern. The malicious URL embedded in the QR code reaches the recipient’s inbox without triggering any link-scanning security control.
When the recipient scans the code with their phone camera, the URL is extracted and opened in the phone’s browser. If the recipient is using their personal phone rather than a managed corporate device, no corporate security controls apply at all. The attacker has routed the attack through a channel with no security inspection.
| Defense Layer | Why It Fails with QR Codes | 2026 Attacker “Workaround” |
| Email Gateway | It sees an image file (PNG/JPG), not a link. | AI-Generated Art: Hiding codes inside complex, “pretty” AI images that look like logos. |
| Browser Filters | Mobile browsers often truncate or hide the full URL. | Legitimate Cloud Hosting: Using aws.com or cloudflare.com as a “safe” first hop. |
| The “Hover” Rule | You cannot “hover” over a printed or on-screen QR code. | Sense of Urgency: “Scan to avoid account lockout” triggers fast, lizard-brain reactions. |
| Network Security | Scans happen over 5G/LTE, bypassing corporate Wi-Fi filters. | MFA Interception: Using the scan to proxy a real-time login and steal session tokens. |
The Scenarios Where QR Phishing Is Being Deployed
QR phishing appears most frequently in three contexts. Fake multi-factor authentication requests are the most common: a message claiming your account requires re-verification asks you to scan a QR code to confirm your identity. The code leads to a credential-harvesting page.
Fake document access requests use QR codes to deliver links to phishing pages that mimic SharePoint, OneDrive, or DocuSign. The target scans the code expecting to access a shared document and instead enters credentials on a spoofed page.
Physical QR code attacks appear in parking lots, public spaces, and conference events. Attackers place stickers over legitimate QR codes on parking meters, restaurant menus, and conference materials. The replacement code leads to malicious pages.
The Personal Device Problem in QR Phishing
The QR code attack is specifically effective because it routes through personal devices. A corporate laptop has endpoint management, browser security policies, and potentially a managed DNS resolver that blocks malicious domains. A personal phone scanning a QR code from a corporate email has none of these protections.
This is why QR phishing has grown as a specific attack category alongside the broader shift to mobile-first work. The attack is designed to route around the security controls on the managed device by redirecting the action to an unmanaged one.
How to Actually Inspect a QR Code Before Acting
Both iOS and Android display a URL preview before opening it when you scan a QR code with the native camera app. That preview is worth reading before you tap. Current iOS shows the destination in a banner at the bottom of the screen. Android behavior varies by manufacturer but similarly surfaces the URL before navigation.
A dedicated QR scanner app provides more detail than the native camera preview, including the full unshortened URL and additional destination metadata. For high-sensitivity environments it is a reasonable upgrade.
One limitation worth knowing: many QR phishing campaigns use URL redirectors or legitimate intermediate services as a first hop. The QR code points to a clean-looking URL that immediately redirects to the phishing page. A URL preview that looks legitimate is not a guarantee the final destination is safe. The primary defense is not scanning unsolicited QR codes at all, not scanning them more carefully.
For physical QR codes, check whether the code appears to be a sticker placed over an existing one. A sticker that does not perfectly match the surrounding material is a warning sign.
The Fingerprint Test ➞ Before scanning a QR code on a parking meter or a table-top menu, run your thumb over it. If you feel a raised edge or a sticker-like texture, do not scan it. Attackers are currently mass-deploying ‘Quishing Stickers’ over legitimate payment codes in major cities.
Why Conferences and Events Are the Highest-Risk QR Environment
Security conferences, industry events, and trade shows are particularly high-risk environments for QR phishing because QR codes are embedded in everything: session check-ins, sponsor booths, printed materials, badge scanners, and WiFi access points.
Attackers attend or target these events specifically because the audience is primed to scan QR codes as part of the normal event experience. Skepticism is lowered because scanning feels routine. The density of high-value targets, security professionals, executives, and technical staff from specific organizations, makes the effort worthwhile.
The WiFi QR code attack is particularly effective at events. A physical card or small sign near a conference room offering “event WiFi” with a QR code routes attendees to an attacker-controlled network rather than the venue network. Once on the attacker’s network, traffic inspection and credential harvesting become straightforward.
What This Means For You
- Never scan a QR code in an unsolicited email or message that requests authentication, credential confirmation, or document access. Go directly to the service instead. This is the primary defense, not careful scanning.
- Read the URL preview before tapping. Both iOS and Android show the destination before navigation. Look for lookalike domains, unusual subdomains, URL shorteners, and HTTP rather than HTTPS. Remember that a clean-looking first hop may redirect to a phishing page.
- Inspect physical QR codes for stickers placed over original codes before scanning in high-risk environments like parking meters and conference materials.
- At events, connect to WiFi by typing the network credentials from a verified source rather than scanning a QR code. Use a VPN on any network you did not configure yourself.
- Report QR phishing attempts to your IT department. They need to know the attack is bypassing email scanning controls.
If this was useful, more like it lives at Pithy Cyborg | AI News Made Simple.