As QR codes become more embedded in our daily lives, cybercriminals have taken notice. The same convenience that makes QR codes useful - instant access with a single scan - also makes them an attractive attack vector. Let's explore the most common QR code threats and how to protect yourself.
What Is Quishing?
Quishing (QR code + phishing) is a type of cyberattack where scammers embed malicious URLs in QR codes. When scanned, these codes redirect victims to fake websites that mimic legitimate login pages, payment portals, or document downloads. Because the URL is hidden inside a visual pattern, it bypasses email security filters that typically catch text-based phishing links.
According to recent security reports, quishing attacks increased by over 400% in 2025, making them one of the fastest-growing cyber threats.
Common QR Code Scams
Tampered Codes in Public Spaces
Scammers print their own QR code stickers and place them over legitimate codes on parking meters, restaurant tables, EV charging stations, and shared bike docks. When you scan, you might land on a fake payment page that steals your credit card information instead of completing the legitimate transaction.
Fake Payment Pages
A restaurant may have a legitimate QR code for its digital menu, but a scammer could replace it with a code pointing to a fraudulent payment page. The visual difference between the two codes is undetectable to the human eye.
Email-Based QR Code Attacks
Attackers send emails containing QR code images that claim to be from your bank, a shipping carrier, or a government agency. The QR code leads to a fake login page designed to steal your credentials.
Cryptocurrency Wallet Scams
Scammers create fake investment opportunities with QR codes that direct to fraudulent wallet addresses or malicious dApps designed to drain your cryptocurrency holdings.
How to Protect Yourself
Always Preview the URL
Modern smartphone cameras show a preview of the URL before opening it. Always read this preview carefully. If the domain looks suspicious (typos, unusual TLDs, or doesn't match the expected business), don't tap.
Check for Tampering
Before scanning a QR code in a public place, visually inspect it. Look for stickers placed over existing codes, any signs of peeling, or codes that look out of place. If something seems off, ask a staff member to confirm.
Use a QR Code Scanner with Security Features
Some QR code scanner apps include security features that check URLs against known phishing databases before opening them. Your phone's built-in camera is generally safe because it shows you the URL first.
Don't Scan QR Codes from Unknown Emails
Treat QR codes in unsolicited emails the same way you'd treat a suspicious link. If you weren't expecting the message, don't scan the code. Contact the organization directly through official channels to verify.
Use a Trusted QR Code Generator
When creating QR codes for your own use, always use a reputable generator. UrsaQR generates codes entirely in your browser - your data never leaves your device, offering complete privacy and security.
What Type of Data Do QR Codes Collect?
QR codes themselves don't collect data. They simply store and present information. However, the destination website or the QR code generator service may collect data. Common data points include:
- Device information - Operating system, browser type, device model
- Location - Approximate geographic location based on IP address
- Scan time - Date and time of the scan
- User behavior - Pages visited after scanning, time spent on site
Dynamic QR codes (which are trackable) collect this data to help businesses measure campaign performance. Static QR codes generally don't collect any data since there's no server involved in processing the scan.
Safe QR Code Practices for Businesses
If you're a business owner using QR codes:
- Print codes directly on materials rather than using stickers that can be tampered with
- Use branded, custom QR codes that are harder to replicate
- Regularly inspect physical QR code placements for tampering
- Use a dynamic QR code solution so you can update or disable codes if needed
- Ensure your landing pages use HTTPS encryption
Conclusion
QR codes are a safe and valuable technology when used responsibly. The key is awareness - understanding that while the code itself is neutral, what it points to can be dangerous. By following the safety tips above, you can enjoy the convenience of QR codes without compromising your security.