QR codes… you can see those little squares everywhere.

You can pay with them, check a restaurant’s menu with them… basically, you use them almost every day.

And no wonder, they’re fast, convenient, easy to create… basically, they make our lives a lot easier.

So, what’s the problem?

Well… as always, when something is easy to use and convenient, it’s also easy for attackers to exploit.

Let me show you some stats:

• In 2023, QR codes were involved in 22% of all phishing attacks [source]

• QR code phishing attacks surged 1400% between 2021 and early 2024 [source]

• 73% of Americans scan QR codes without verifying them, making them a prime target for malicious links [source]

I could go on, but I believe the message is clear: attackers are using QR codes for their attacks more and more often, and people don’t expect any threat when using them.

The best defense?

Awareness!

I will give you an overview of the most common attacks leveraging QR codes and how to protect yourself.

So, if you want to avoid trouble, read this post. It will take you 5 minutes and could save your privacy and your money.

Quishing (QR code phishing)

We all know phishing, right?

If you’re not familiar with how phising works, don’t worry! I got you covered!

How phishing works in 5 steps

Erich Winkler

·

May 1, 2025

Read full story

So, you know that one of the attacker’s goals is to make you click on a harmful link. They are willing to use various tricks to do so, and QR codes just make it easier for them.

You don’t see the link the QR code leads to, so you can’t tell if it’s legitimate or not.

They can easily create a sticker and place it somewhere it looks legitimate, or send you the QR code via email and just wait until you take out your phone and scan it.

Once you do, you’re exposed, and there is no way back.

Let’s go through this type of attack step by step to make it easier for you to recognize it.

Offtopic: Preparing for the CISSP exam?

Check out my free materials to help you prepare efficiently!

Free Cybersecurity Tools & Resources

How I passed the CISSP exam in 3 months!

Erich Winkler

·

October 27, 2025

Read full story

1. Target Selection

First of all, attackers need to find a convenient place to place their QR codes.

The best choise are places where people expect to scan QR codes:

• Parking meters

• Restaurant tables

• Event posters

• Office buildings

• Delivery notices

• “Update your account” emails

Anywhere a QR code feels normal, it becomes dangerous. Especially in emails, as most current security measures can’t detect malicious links hidden in the QR code.

2. QR Code Creation

Now comes the easy part. Generate the QR code.

That will take like a minute and it’s completely free.

No coding skills. No hacking skills.

They simply take a malicious URL, often a fake login page, and generate a QR code that points to it.

From the user’s perspective, the malicious site looks exactly like:

• Microsoft 365

• Google login

• Bank page

• Internal company VPN portal

• Apple ID reset

The QR code hides the danger perfectly.

Join Erich Winkler’s subscriber chat

Available in the Substack app and on web

Join chat

3. Deployment: Placing the QR code

This is where it gets interesting for attackers.

They place their fake QR code in a way that it doesn’t raise any suspision:

• A sticker over the real QR code (restaurant, parking meter, billboard)

• A printed flyer (“Free Wi-Fi”, “Claim your parcel”, “Pay for parking here”)

• An email attachment (“Scan this to verify your identity”)

• A PDF invoice with a “secure QR code payment link”

Because people trust physical things, this step is extremely effective.

4. Luring You Into Scanning

The attacker now relies on human behavior.

We scan QR codes automatically.

Nobody squints at them.

Nobody investigates the link beforehand.
It takes less than a second.

This is the attacker’s advantage:
The victim makes the first move.

Once you scan, the phone opens the malicious site instantly.

5. The Redirect to a Fake Page

After scanning, you land on a page that looks perfectly legitimate.

Typical goals:

• Steal credentials (login to Microsoft/Google/Bank)

• Collect MFA codes (“Enter your 6-digit verification code”)

• Steal payment information

• Download malware (“Install this app to continue”)

Some malicious QR codes even trigger automatic actions, such as:

• Opening a pre-written email

• Adding a rogue Wi-Fi network

• Sending you to a malicious app store

The victim almost always thinks they are interacting with a legitimate service.

6. Data Harvesting / Account Takeover

Once you enter your username, password, or MFA code, the attacker grabs it in real time.

A common technique is real-time relay:

You enter credentials → attacker immediately uses them → attacker prompts you for MFA → you enter it → the attacker logs in instantly.

By the time you realize something’s wrong, the attacker is already inside your account.

How to protect yourself?

Have I scared you enough?

Good. The goal of this article is to make you take this threat seriously enough to learn how to protect yourself.

The good news?

You don’t need to stop using QR codes, you just need to stop trusting them blindly.

Here are mu suggestions what to do while working with QR codes:

• Confirm the origin of the QR code
  Only scan codes from sources you trust. If you didn’t expect it or don’t know who placed it there, think twice.

• Watch for sloppy text or odd formatting
  Poor grammar, strange phrasing, or low‑quality design on the surrounding material often signals a scam.

• Check the link before you open it
  Your phone shows the URL first, make sure it matches the organization you expect and doesn’t contain weird spellings or random characters.

• Evaluate the website after it loads
  Legitimate sites look polished and professional. If the design looks thrown together, outdated, or inconsistent with the brand, leave immediately.

• Don’t trust sites that ask for info right away
  A QR code should never lead directly to a login page or request payment details immediately. That’s a major red flag.

• Verify promotions and discounts independently
  If a QR code claims to offer a special deal, confirm it through the company’s official website or social media.

• Check for a secure connection
  Make sure the site uses HTTPS. A secure padlock icon doesn’t guarantee legitimacy, but the absence of it is a strong warning sign.

• Use two-factor authentication (2FA)
  I can’t stress this enough. Enable 2FA for all your accounts! Even if someone steals your password through a fake QR code, 2FA can prevent them from accessing your accounts.

• Report anything suspicious
  Whether it’s a strange email, a fake poster, or a malicious link, let your IT department or service provider know.

• Keep your phone and apps updated
  Updates patch security flaws. Running outdated software makes you an easier target.

My personal tip

Use DNS filtering service such as nextDNS. Not only it will protect your privacy in many situations, but also is able to block malicious domains.
It blocks:

• known phishing domains

• malicious redirect sites

• newly registered scam domains

• shady advertising networks

• malware download domains

So even if you do scan a malicious QR code, NextDNS will often block the domain before it loads.

It’s not perfect, nothing is, but it dramatically reduces the risk. And it will cost you like $2/month.

I personally use it on all of my devices.

Conlusion

As always, if you’re reading this, congratulations!

I know this isn’t an article for cybersecurity professionals, you already know all of this, but spreading awareness should be everyone’s responsibility.

Being aware of current cyber threats is the best protection there is. It can take just 10 seconds for your bank account to be emptied.

Is it fair?

No.

Is it real?

Absolutely.

So make sure you share this article with someone who needs it, before it’s too late!

Want the Complete Domain 1 Roadmap?

Quantitative risk analysis is just one piece of Security and Risk Management.

If you want a structured way to master Domain 1, I’ve created something for you.

My CISSP Domain 1 Checklist provides clarity and focus on everything that truly matters for the exam and real-world practice.

➡️ Download it here and stop wasting time on scattered study materials.