QR Code Security: Risks, Attacks, and Defenses in 2025
A comprehensive security analysis of QR code threats including phishing, payment fraud, malicious payloads, and practical defense strategies for users and businesses.
QR codes have become so ubiquitous that we rarely think about their security implications. From restaurant menus to payment systems, parking meters to product packaging, QR codes bridge physical and digital worlds with a simple scan. But this convenience has created new attack surfaces that criminals are actively exploiting. This comprehensive analysis examines the security risks of QR codes, documents real-world attacks, and provides practical defense strategies for both users and organizations deploying QR codes.
The QR code threat landscape in 2025
QR code usage surged during the COVID-19 pandemic and has continued growing. According to a 2024 report by Juniper Research, over 2.2 billion people worldwide used QR codes for payments in 2023, with transaction value exceeding $3 trillion. This scale has attracted criminal attention: the FBI reported a 500% increase in QR code-related fraud cases between 2020 and 2023, with losses averaging $3,000 per victim.
The fundamental security issue with QR codes is that they are opaque to humans. A printed URL can be read and evaluated before clicking, but a QR code's destination is invisible until scanned. This opacity enables attacks where malicious QR codes are substituted for legitimate ones, or where QR codes direct users to phishing sites that look identical to the expected destination.
Attack vector 1: QR phishing (quishing)
QR phishing, sometimes called 'quishing,' is the most common QR code attack. The attacker creates a QR code that directs to a phishing website designed to steal credentials, payment information, or personal data. Common scenarios include: fake parking meters with QR code stickers that collect payment card details, restaurant menus replaced with QR codes directing to phishing sites, event posters with QR codes promising additional information but actually capturing credentials, and emails containing QR codes that bypass traditional link-scanning security filters.
The email-based variant has become particularly problematic. Security researchers at Abnormal Security reported a 1,000% increase in QR code phishing emails in late 2023. Attackers include QR codes in emails rather than clickable links because traditional email security filters scan URLs but often do not decode and analyze QR images. A typical attack impersonates a Microsoft 365 password expiration notice with a QR code that directs to a fake login page capturing credentials.
Attack vector 2: Sticker attacks and code substitution
Physical sticker attacks involve covering legitimate QR codes with malicious ones. The attacker prints a sticker with their QR code and places it over the legitimate code on parking meters, restaurant tables, charitable donation placards, or product packaging. Victims scan what appears to be a legitimate code but are directed to an attacker-controlled destination.
A 2023 incident in San Antonio, Texas, demonstrated this attack's potential. Attackers placed QR code stickers over legitimate parking payment QR codes throughout the city. Drivers scanning the code were directed to a fake payment site that collected credit card details and a $0.01 'test' charge, followed by larger fraudulent charges. The attack went undetected for weeks because the fake site looked identical to the legitimate payment processor. Similar attacks have been documented in Austin, Chicago, and Atlanta.
Preventing sticker attacks requires physical monitoring. Businesses deploying QR codes should use tamper-evident stickers, periodically inspect codes for replacement, and educate customers to verify the destination URL before entering payment information. Some businesses now use branded QR codes with embedded logos, making sticker substitution more visually obvious.
Attack vector 3: Payment redirection
QR code payment systems are particularly attractive targets because they directly handle money. In China, where QR code payments are dominant (WeChat Pay and Alipay process over $40 trillion annually), payment redirection attacks are common. Attackers replace merchant QR codes with their own, causing customer payments to flow to attacker accounts instead of merchant accounts. Because customers see a payment confirmation, they believe the transaction succeeded, but the merchant never receives payment.
A 2023 case in Mumbai, India, involved attackers replacing QR codes at 47 vegetable vendors over six weeks. Customers paid over 800,000 rupees (about $10,000) to attacker accounts before the scheme was detected. The vendors, who relied on daily cash flow, suffered significant hardship. Defense against payment redirection requires merchants to periodically verify that their displayed QR code still routes to their account, perhaps by scanning it themselves daily.
Attack vector 4: Malicious payload delivery
QR codes can encode various data types beyond URLs, and some can trigger actions on the scanning device. Special formats include: WiFi credentials (WIFI:T:WPA;S:network;P:password;;) that auto-connect the device to a network, contact cards (vCard format) that add a contact with malicious fields, calendar events that add appointments with embedded links, SMS messages that send texts to premium-rate numbers, email messages that compose pre-filled emails, and geographic coordinates that open map applications.
The WiFi auto-connect format is particularly concerning. An attacker could create a QR code that connects victims to an attacker-controlled WiFi network, enabling man-in-the-middle attacks on subsequent internet traffic. If the victim's device then connects automatically to this network in the future, the attack persists. Defense involves only scanning WiFi QR codes from trusted sources and disabling auto-connect to unknown networks.
Attack vector 5: Cloning and replay attacks
Static QR codes can be photographed and reproduced, enabling cloning attacks. A legitimate event ticket QR code, for example, can be photographed and used to create duplicate tickets. Event organizers have reported cases where the same QR code was scanned dozens of times at entry, indicating mass cloning from a single legitimate ticket.
Defense against cloning requires dynamic QR codes that change periodically or single-use codes that become invalid after scanning. Major events now use rotating QR codes that refresh every 30-60 seconds, similar to two-factor authentication codes. Payment systems use transaction-specific QR codes that include the amount and a unique transaction ID, preventing reuse.
The psychology of QR code trust
QR codes benefit from what security researchers call 'implied legitimacy.' Because QR codes are widely used by legitimate businesses, users have been conditioned to scan them without scrutiny. A 2023 study by the University of California, San Diego found that 89% of participants would scan a QR code on a restaurant table, 73% would scan a code on a parking meter, and 64% would scan a code in an email from a known brand. This baseline trust makes QR codes an effective attack vector.
The same study tested whether security warnings would reduce scanning rates. Adding a warning message ('Only scan QR codes from trusted sources') reduced scanning rates by only 12 percentage points, from 89% to 77% for restaurant codes. This suggests that warnings alone are insufficient and that technical defenses are needed.
Technical defenses for users
Modern smartphones have built-in QR code scanners in their camera apps, but the security features vary. iOS 11+ shows a notification with the URL before opening it, allowing users to evaluate the destination. Android 8+ has similar behavior. Third-party QR scanner apps often provide additional features like URL safety checks, but they also create privacy risks since the app developer can see everything you scan.
Best practices for users include: preview the URL before opening it, looking for HTTPS and the expected domain name, avoid scanning QR codes from unknown or untrusted sources, be especially cautious of QR codes that lead to payment pages or login forms, use a QR scanner that checks URLs against known phishing databases, keep your phone's operating system updated to benefit from the latest security features, and disable auto-open behavior if your scanner supports it, requiring manual confirmation.
Technical defenses for businesses
Businesses deploying QR codes should implement several security measures. First, use dynamic QR codes where possible, allowing you to change the destination without reprinting and to track scans for anomaly detection. Second, use branded QR codes with embedded logos that make sticker substitution obvious. Third, periodically verify that displayed QR codes still route to the correct destination. Fourth, use HTTPS destinations with proper SSL certificates. Fifth, avoid encoding sensitive data directly in QR codes, since QR codes can be photographed and decoded by anyone with a phone. Sixth, for payment QR codes, use transaction-specific codes that include amount and transaction ID, preventing reuse.
For high-security applications, consider signed QR codes that include a cryptographic signature. The scanning app can verify the signature against a trusted public key, ensuring the QR code was generated by the legitimate issuer and has not been modified. India's Aadhaar system and several national digital identity programs use signed QR codes for this reason.
Legal and regulatory considerations
QR code security has attracted regulatory attention. The European Union's Digital Services Act requires platforms to take measures against phishing, which includes QR code phishing. The United States Federal Trade Commission has issued guidance on QR code security for businesses. Several states have passed laws requiring businesses to disclose if QR code data is collected and how it is used.
For businesses, the legal risk of QR code attacks is significant. If a customer is defrauded via a QR code on your premises, you may face liability if you did not take reasonable security measures. Insurance policies are beginning to exclude QR code-related fraud, requiring separate coverage. Consult legal counsel to understand your obligations regarding QR code security and customer data protection.
Case study: The 2023 Texas parking meter attack
The San Antonio parking meter attack mentioned earlier illustrates several important security lessons. The attackers produced high-quality stickers that closely resembled the legitimate parking authority branding. They chose QR codes rather than replacing the entire payment terminal, minimizing physical evidence. They used a phishing site with a valid SSL certificate, avoiding the 'not secure' warning that would have alerted some users. And they collected $0.01 test charges before larger fraudulent charges, a common pattern that helps criminals validate stolen card details.
The attack was eventually detected when a parking authority employee noticed that QR codes on several meters looked slightly different from the originals. The difference was subtle: the attacker's stickers had slightly different spacing between the QR code and the surrounding text. This highlights the importance of physical inspection and employee training in detecting QR code attacks.
The future of QR code security
Several technologies promise improved QR code security. Visual cryptography can split QR codes into two layers that must be overlaid to decode, preventing photograph-based cloning. Color QR codes can encode more data in the same space, enabling embedded signatures and expiration timestamps. Blockchain-based verification can provide tamper-evident QR codes for high-value applications. Machine learning models can detect malicious QR codes based on visual patterns, similar to how email filters detect phishing.
However, the most important defense remains user awareness. Training users to evaluate QR code destinations before entering sensitive information is more effective than any technical control. The sevi.fun QR Code Generator produces standard QR codes with configurable error correction and size, suitable for legitimate business use. When scanning QR codes, users should apply the same scrutiny they would to clicking a link in an email: verify the source, check the destination, and be cautious with sensitive information.
Conclusion
QR codes are a powerful technology for bridging physical and digital experiences, but their opacity creates security risks that criminals actively exploit. The main attack vectors include phishing (quishing), sticker substitution, payment redirection, malicious payloads, and cloning. Defense requires a combination of technical measures (dynamic codes, branded designs, HTTPS destinations, signed codes) and user awareness (previewing URLs, verifying sources, caution with sensitive information). The sevi.fun QR Code Generator creates high-quality QR codes for legitimate use cases, with customizable size and error correction. By understanding the threats and implementing appropriate defenses, businesses and users can continue to benefit from QR code convenience while minimizing security risks. As QR code usage continues to grow, security awareness and technical defenses must keep pace with the evolving threat landscape.
References and further reading
- Federal Bureau of Investigation. (2023). IC3 Annual Report: Internet Crime Complaint Center.
- Juniper Research. (2024). QR Code Payments: Key Opportunities, Vendor Strategies & Market Forecasts 2024-2028.
- Abnormal Security. (2024). Email Threat Report Q4 2023: The Rise of QR Code Phishing.
- University of California, San Diego. (2023). User Trust and Security Behavior with QR Codes. USENIX Security Symposium.
- National Institute of Standards and Technology. (2023). NIST SP 800-63B: Digital Identity Guidelines.
- Reserve Bank of India. (2023). Cyber Security Framework for QR Code Payments.
- European Union Agency for Cybersecurity (ENISA). (2024). Threat Landscape for QR Code Systems.
- ISO/IEC 18004:2024. Information technology, Automatic identification and data capture techniques, QR Code bar code symbology specification.
Use our free tools
All 41 premium tools on sevi.fun are free, no sign-up required.
Explore All Tools