Malicious QR Codes: A New Phishing Threat

What Happened

Phishing attacks are evolving, and one of the latest tactics involves malicious QR codes. These codes can be found on posters, websites, or even shared through messages. By scanning a QR code, users unknowingly expose themselves to phishing attempts that can lead to data theft or malware installation.

Recently, scammers have started to exploit QR codes in a new wave of traffic violation scams. Victims receive fake text messages impersonating state courts, claiming they have outstanding traffic violations. These messages pressure recipients to scan a QR code that leads to a phishing site demanding a payment of $6.99, while simultaneously stealing personal and financial information. This tactic represents a shift from earlier scams that relied solely on text messages with links to phishing sites.

The latest twist on these scams is particularly insidious, as the QR codes are often embedded in images that resemble official notices from government agencies. This method lowers the odds of immediate scrutiny, as victims are nudged to scan a code rather than click on a visible link. Scammers leverage urgency and authority, creating a false sense of legitimacy around the small fee they demand, which encourages quick payment without verification.

In a recent podcast featuring Juliana Testa, a Senior Security Engineer at 7AI, a large-scale “quishing” campaign was discussed, where QR codes embedded in image attachments allowed 28 out of 33 phishing emails to bypass traditional email filters like SPF, DKIM, and DMARC. This campaign sent over 1.6 million emails across multiple organizations, utilizing unique QR codes and tracking IDs, effectively defeating conventional detection methods and shifting the execution to less-secure mobile devices. This highlights a major blind spot in email security and emphasizes the need for enhanced QR code inspection and mobile protections.

Hackers are also leveraging URL shorteners and in-app deep links, which makes it harder for users to identify suspicious links. Additionally, they can direct users to download malicious APK files, which are Android application packages that can contain harmful software. This method allows attackers to bypass traditional mobile security measures, putting users at significant risk.

Why Should You Care

Imagine you see a QR code in a public place, and you scan it to access a discount or a service. What you don’t realize is that you might be giving away your personal information or downloading malware. This is a growing concern because it can happen to anyone — whether you're checking your bank account, shopping online, or just browsing the internet.

The danger is real. Just like you wouldn’t open a strange email attachment, you should be cautious with QR codes. They can lead to phishing sites that steal your passwords or install harmful software on your device. Always verify the source of a QR code before scanning it. The recent traffic violation scams illustrate how easily scammers can manipulate QR codes to exploit unsuspecting individuals.

The Impact of Scams

According to the FBI’s 2025 IC3 Annual Report, scam operations are not a sideshow; they are the main event. The report highlighted over a million complaints in 2025, with losses exceeding $20.8 billion. Phishing and spoofing alone accounted for nearly 200,000 complaints, while government impersonation reached 32,424 complaints with nearly $800 million in reported losses. This data underscores that QR code scams are part of a larger ecosystem of organized cybercrime.

What's Being Done

Security experts are raising awareness about this new phishing method. They emphasize the importance of user education and caution when interacting with QR codes. Here are some immediate steps you can take to protect yourself:

• Always check the URL after scanning a QR code before entering any information.
• Use security software on your mobile device to detect and block malicious downloads.
• Be skeptical of QR codes from unknown or untrusted sources.
• If you receive a text message claiming to be from a state agency requesting payment, do not engage; verify with the agency directly.
• Check the phone number that the text message comes from; some scams originate from numbers outside the US.
• Look for the actual site that handles the alleged violation and compare the domain name carefully.
• If you decide to pay, ensure you receive confirmation of payment from the official agency.

Experts are closely monitoring the situation for new phishing techniques and potential countermeasures. The recent findings from the “quishing” campaign illustrate the need for vigilance and proactive measures to protect personal information from these evolving threats.