QR (quick response) codes are no longer a novelty or a marketing cliche that faced a recent near-death experience. Instead, they have returned from the near grave as an excellent source for information exchange, especially as marketers and communicators attempt to uncover new ways to bring their messages to market.
Their use is pervasive, and hundreds of millions are expected to enter marketing efforts by the world’s largest (and smallest) brands in the next year, according to Statisa. Despite this resurgence in power and popularity, QR codes are a threat vector weaponized with increasing sophistication in cyber dupes. As businesses rush to adopt QR codes, a new Trojan horse is sauntering to their gates. From these, cybercriminals are sneaking into the devices and data of their victims.
QR codes were created in 1994, the same year as the first PlayStation, by a Toyota subsidiary, as an inventory tracking tool, but by the start of this century’s second decade, QR codes faced significant hurdles, and they nearly disappeared from the lexicon. The primary issue was the barrier to entry. Third-party apps were needed to read them, which turned many of us off.
In 2017, QR code readers were built into Android and Apple software updates. It was projected that by 2020, 91% of active iOS users would have access to in-built QR code scanners, eliminating the need for a separate app, and by 2022 one billion smartphones would have access to QR codes globally research by Fintech Futures suggested at the time.
Another frustration with them was an undefined use case. Their use was inconsistent and without purpose. They were usually integrated into marketing campaigns without optimization, leading to broken links, irrelevant content, or lack of mobile-friendly experiences, which is where the real value for scammers emerged. QR codes have always been exploited for malicious purposes, such as directing users to phishing websites or embedding malware. This undermined trust in the technology. As they surged in use, with earnestness during COVID-19, and were reimagined, threat actors evolved right alongside the technology.
Even with the development of dynamic QR codes, I’m currently less surprised by the adoption of the codes and more concerned by the sheer level of implicit trust users have begun to place in them. People are encouraged to use them—from celebrities working for their favorite brands telling us to use them by happenstance to stores collecting reward points and coupons to joining loyalty clubs and keeping up to date with news about our favorite sports teams, and even our employers using them to refer employees to update benefits packages and other corporate messaging.
As a fellow member of the cybersecurity community, you’re aware of this, but your organization’s users have been conditioned to identify traditional phishing cues in emails—misspelled domains, odd sender addresses, etc.—but a QR code bypasses all that. Users can’t visually inspect a QR code’s URL destination before scanning, creating a significant blind spot. Even experienced cybersecurity teams sometimes overlook this. Solutions exist that can run QR code phishing simulations to enable education to relevant users that click on the QR code of the perils of doing so, but without them, the protections are few.
The cybersecurity problem is not only the fact that scammers are slapping fake QR codes over legitimate ones in public spaces, but that the more sophisticated threat actors are employing tactics like dynamic QR codes to meet their objectives. This is important for security professionals to contemplate because these highly accessible codes are manipulatable once distributed to redirect users to risky URLs. We’ve seen this happen in spear-phishing campaigns targeting executives.
Quishing (phishing via QR codes) or QRLjacking possess potential harm because they can redirect payments from a legitimate account, for example, to an attacker’s wallet without the user realizing it until it’s too late. Given the irreversible nature of crypto payments and the difficulty of tracing the attacker, this is particularly effective when QR codes are used for cryptocurrency transactions. We’re also seeing dynamic content injection developing into creative heists, where attackers create content and QR codes that, upon scanning, inject a malicious script into the user’s devices.
What Can Be Done? Moving Beyond Basic Mitigations
Standard advice to train users to be cautious when scanning QR codes or to inspect URLs post-scan is not enough. We must push transformative shifts regarding how businesses deploy and monitor QR codes, but more importantly, we need real-time threat intelligence integration with QR code scanners. This is where we’re focusing our innovation at VIPRE—building AI-driven threat detection engines that can assess the behavior of URLs in real time. We’re talking about machine learning models that evaluate the destination URL for patterns, historical data, and geolocation or device type to stop malicious sites before they load. We’re attempting to spearhead the creation of automatic buffers to protect against these threats without relying on user vigilance, which we know is a weak point. After all, how long have we been screaming at users to stop using “Password1234” as a password? If we rely on users as a line of defense, the war may already be over before the first shot is fired.
We also can’t rely on any regulatory help. That landscape is woefully lagging in advancements of such technologies despite rapid adoption of QR code phishing and other such attacks. There’s an absence of industry standards around secure deployment. For example, despite the surge in incidents, the NIST cybersecurity framework doesn’t have specific guidelines for QR code use.
As an industry, we need to take the gloves off. We need to resemble the efforts of Mike Tyson in 1986, not the Tyson of 2024. We must push for security standards akin to PCI-DSS but tailored for QR code usage, particularly in financial services and healthcare, where the stakes are high. We also need integrated URL preview mechanisms in browsers and mobile OS-level protections that alert users to potential threats before they engage. Companies need to start looking at QR codes like any other endpoint or attack surface—monitoring, updating, and securing them as part of their broader cybersecurity strategy.
Since every kind of business has embraced QR codes, there is much room for opportunities for threat actors. The rapid, unchecked growth in these communication and engagement modalities has left gaping security holes that we’ve got to close. As cybersecurity professionals, we must challenge the narrative that QR codes are “safe enough ” and treat them as a genuine attack vector. If we don’t act, we’re looking at a future where the next big data breach could begin with a single, innocent-looking scan.
So, when you engage in conversations about the potential threat of QR codes, keep this ammo at the ready: Threats to QR codes may be partially avoided, but implementing intelligent, proactive defenses is helpful because it’s always about staying one step ahead of the attacks – and their innovation.
About the Author
As the general manager for VIPRE Security Group, Usman Choudhary is responsible for executing the company’s product vision and strategy for advanced threat defense solutions. With contributions to several patented innovations in the early stages of the security space, he was instrumental in influencing the evolution of mission-critical cyber defense programs for the U.S. Navy (PROMETHEUS) and other government agencies and security programs at Microsoft and other large enterprises. Before joining VIPRE, Usman held several product leadership roles to develop identity and security businesses at NetIQ, Novell, and eSecurity. He previously served ten years in technology innovation for the global brokerage industry. Usman received his bachelor’s degree in computer engineering from Rutgers University School of Engineering and his executive leadership education from Harvard Business School. In his personal time, Usman regularly contributes to several nonprofit service initiatives nationally and received the distinguished U.S. President’s Call to Service Award in 2013.
Usman can be reached by email at [email protected]
