Back

Create QR code

Alarming QR Code Phishing Statistics You Must Know in 2025

By:  Ashley P.Update:  April 14, 2025
Alarming QR Code Phishing Statistics You Must Know in 2025

This compilation of QR code phishing statistics sheds light on the concerning security threats that quishing imposes on businesses and individuals.

No one can deny the benefits of using a Quick Response (QR) code, and as much as we hate to admit it, online criminals also know this. 

But, if you familiarize yourself with cybersecurity threats and adopt security measures accordingly, you can hinder their success.

With that in mind, we’ve collected key facts and trends about QR code phishing that everyone should stay alert for in 2025. 

Learn what these statistics say, the real-world cases, the actions you can take, and the best QR code generator to help you create fool-proof QR codes.

Table of Contents

    What makes quishing (QR code phishing) so dangerous?

    Quishing

    Phishing is a malicious cyberattack that aims to steal personal information, such as online usernames, passwords, and even financial information, for nefarious purposes. 

    This kind of attack relies on deception, which makes the victim willingly but unknowingly provide these details themselves. 

    Today, a new technique for these cybercriminals has emerged: quishing. Quishing is simply phishing using QR codes, a two-dimensional barcode that one can easily scan using a smartphone.

    Can QR codes be dangerous? Not at all. However, depending on the creator’s motive, the content embedded within may be harmful to others. 

    This is why quishing is so dangerous. Bad actors can simply cover legitimate QR codes with fake ones. 

    Using the genuine messages of advertisements and promotions, fraudsters and QR code scam masterminds may gain access to many people’s information with none the wiser.     

    QR code phishing statistics

    QR codes have been around for many decades, which means that quishing can become a widespread threat to the average person. 

    For businesses, phishing is a major concern that can cost them thousands or even millions to clear up. For context, data from IBM indicates that breaches as a result of QR code phishing can cost $4.45 million (USD) on average.

    Let’s examine the latest statistics that prove this right.

    QR code phishing attacks surged to 51%

    According to a 2023 study by ReliaQuest, QR code phishing attacks increased to 51% during the month of September. This was a significant increase when compared to the cumulative figure for January through August 2023.

    Additionally, 12% of the observed quishing incidents involved hiding the QR code in a PDF or JPEG file attached to an email. 

    These attacks were able to slip past email filters because the malicious email often did not have clickable elements in the message body, which is something that filters usually permit.

    There were over 8,000 quishing incidents over 3 months in 2023

    Highlighting the reliance on QR codes by cybercriminals and scammers, Keepnet found that 8,878 quishing incidents were reported in the span of 3 months back in 2023. 

    Observed from June to August, the first month was when the trend peaked with a total of 5,063 reported cases.

    Almost 2% of all scanned QR codes are malicious

    A recent analysis by Keepnet revealed that close to 2% of all QR codes scanned were considered malicious. This includes phishing QR codes as well as ones embedded with links to malware and viruses. 

    Ask yourself, “How many QR codes are possible to create?” and you might come up with a number in the millions. The truth is much more than that, so much that the number couldn’t fit in a calculator. 

    We haven’t even come close to reaching that number, so 2% is insignificant in the grand scheme of things. 

    Still, the effects of malicious QR codes are too harmful to dismiss. As this form of barcode becomes increasingly popular in different applications, we can expect this number to grow as well.

    Only 36% of QR code phishing incidents were accurately identified and reported

    Despite a staggering number of quishing incidents in the latest QR code phishing statistics, reports state that only 36% of them are accurately identified and reported. 

    This low detection and reporting rate is a gap in security that any company should address.

    There are different types of phishing attacks, but the most popular method is through emails. According to more data from Keepnet, 26% of malicious links in email phishing campaigns were embedded in a QR code.

    With this many links embedded in QR codes, it’s obvious that bad actors are using their effectiveness to inflict harm on others. 

    This is backed up by a 587% increase in quishing incidents back in 2023. During this period, 22% of all phishing attacks used QR codes.

    Half a million emails with phishing QR codes are embedded in PDF documents

    This staggering discovery was made by Barracuda threat intelligence researchers. The PDF files normally had one or two pages, and the emails themselves had no other external links or embedded documents. 

    Nearly 90% of QR code attacks are aimed at stealing login information and other sensitive data

    Purpose of QR code attacks

    While there are many creative ways to inflict harm with QR codes, Keepnet states that about 89.3% of detected attacks are done to capture personal data. 

    The reason for this can lie in the fact that QR codes are easy and convenient to use. Many people can forget to check the link before being redirected. 

    With most QR code attacks being phishing attempts, this highlights the need for more knowledge and awareness of QR code safety and the establishment of improved security measures.

    Online banking pages also prone to quishing attacks

    Global spending with QR codes is projected to exceed $3 trillion by 2025, which means we can expect an increase in quishing attempts using QR code payments. 

    This is backed up by the same ReliaQuest study, which found that 18% of quishing incidents involved thieves using online banking pages to steal information.

    If you’re using QR codes to pay in physical and online stores, check for any signs of tampering on the QR code. If you have the option, ask the shop to provide you directly with their account number and the full name of the account holder for secured transactions.

    Business executives encounter quishing attacks 42 times more than employees

    According to the 2023 data from Abnormal Security, executives are 42 times more likely to be targeted by quishing emails than their employees.

    This tells us that cybercriminals know that targeting executives can give them access to sensitive and profitable information and a lot of power within businesses. 

    It also means that there could be vulnerabilities in an organization’s security that executives should find and fix. 

    Microsoft and Adobe are among the brands being impersonated for quishing

    Barracuda threat intelligence researchers also found that in most of the incidents analyzed, cybercriminals impersonated well-known companies such as Microsoft and Adobe. 

    More than half of the attacks involved impersonating Microsoft. Other incidents involved scammers impersonating the human resources department of the victim’s current company.

    56% of quishing emails involved Microsoft two-factor authentication (2FA) resets

    According to a ReliaQuest study in September 2023, the most popular form of quishing involved sending emails to reset or enable Microsoft two-factor authentication (2FA). 

    This attack was so prevalent that it made up more than half of all the methods used in the span of a year. 

    Fake two-factor authentication notices can be a serious threat to your security. Thus, if you receive untimely emails like this, immediately contact Microsoft or other service providers you’ve been subscribing to.

    The energy sector receives 29% of quishing emails, while retail remains the most vulnerable

    Target industry of QR scammers

    While any industry can be at risk of quishing attacks, two seem to be frequent targets. 

    The first is the energy industry. According to the data, the energy sector gets 29% of over 1,000 malware-infested quishing emails. 

    The second industry vulnerable to quishing is the retail sector. Analysis shows that this industry features the highest miss rate, meaning retail employees often fail to detect and report malicious QR codes to the authorities. 

    Other sectors that are popular targets for phishing campaigns are manufacturing, insurance, technology, and financial services. 

    A high number of incidents within these industries indicate that targeting them has proven lucrative to many cybercriminals.

    Real-life phishing code examples using QR codes

    Despite a low detection and report rate, thousands of incidents are still caught. However, not knowing how these scams can take place only helps criminals obtain more personal information from innocent victims. 

    We’ve collected major QR code phishing examples that you can learn from and avoid when encountering one yourself.

    Fake parking tickets in San Francisco

    Fake QR code ticket

    In the second quarter of 2023, the citizens of San Francisco received parking tickets on their vehicles. 

    These tickets featured a QR code that directed scanners to a San Francisco Municipal Transportation Agency (SFMTA) page where drivers could pay off their fines immediately. 

    Unfortunately, the SFMTA did not use QR codes in this manner. 

    Worse, the scammers replicated the SFMTA’s official website, making the fake one look legitimate.

    While the agency could not confirm the number of reports they received, they did urge drivers to check if a ticket is real by looking it up on their official website. 

    Tea shop malware-infested QR code

    Another phishing scam using a QR code was a case in Singapore where a 60-year-old woman lost $20,000 after filling out a fake online survey.

    According to the victim, this survey was supposed to be for a free cup of milk tea at a local bubble tea shop. The code was pasted on the shop's glass window, making it look like a promotion from the business itself.

    What’s unique about this scam is that it downloads a third-party app on the phone after scanning the QR code.  This app will request access to the phone’s microphone and camera.

    The malicious app also asked for access to the Android Accessibility Service, an Android app dedicated to assisting users with disabilities. Access to this app allows the scammer to view and control the victim’s screen.

    According to Mr Beaver Chua, the head of OCBC Bank’s anti-fraud department, the scammer would wait for the victim to use their mobile banking app and note their login credentials and password. 

    With this information, the scammer only has to take control of the phone at the right time and transfer money out of the victim’s account.

    QR codes for stealing credentials at Washington University

    In September 2023, students and faculty at Washington University in St. Louis (WUSTL) became targets of cybercriminals using phishing QR codes.

    According to a blog post, the phishing campaign used emails with a malicious QR code attached. When scanned, the QR code directed community members to a fake WUSTL Key login page.

    But how would the scammer convince users to scan the code? By making them think their accounts would be terminated if they don’t. 

    Because it looked like an official email, it’s pretty easy to trick unsuspecting WUSTL faculty and students into keeping their accounts by scanning the code.

    Fortunately, the university’s information security team informed the community of the scam, preventing more people from falling for the scam.

    Malicious QR code covering a legitimate one at Teesside, England

    In November of the same year, another phishing code example was also launched at Thronaby Station in Teesside, England. Just like the tea shop survey QR code, it resulted in at least one victim losing thousands of their hard-earned money.

    The QR code was placed over a genuine one in the station’s car park. When the victim, a 71-year-old woman who wished to stay anonymous, scanned one of these fake QR codes to pay for parking, she inadvertently offered her banking information to the fraudsters.

    Her bank blocked her transaction. Unfortunately, the criminals impersonated bank staff and convinced her to take out a £7,500 loan.

    Afterward, they changed her banking information, ordered new cards, racked up debt that would result in a total loss of £13,000 for the victim, and set up an online banking account.

    According to VirginMoney, the victim’s loan would eventually be written off while all fraudulent transactions were refunded.

    The fake Microsoft 2FA expiring email QR code

    Fake email QR code

    This scam is a prime example of how the energy industry is targeted by quishing attacks.

    In the same month as the Teesside fake QR code, Microsoft sent an email to a company in the industrial and energy industry. The email stated that the recipient’s two-factor authentication (2FA) was about to expire. 

    According to the email, renewing this security measure would have required scanning the attached QR code. Because Microsoft does not send this kind of email, it was clear that this email was meant to gather company credentials. 

    The email's fraudulent nature was also obvious to observant employees thanks to the various grammatical errors found in the text. Not even a QR code generator with logo integration can salvage that.

    Illegitimate DocuSign QR codes

    Fake document QR code

    DocuSign is the #1 platform for electronic signatures. Unfortunately, this has also made it a favorite among cybercriminals, especially those who prefer to use it to conduct phishing scams.

    When a bad actor mimics DocuSign’s platform to launch quishing attacks, they usually copy official communications from the company to make their fraudulent emails look genuine. 

    And since DocuSign emails can be customized to suit the brand using their services, it becomes easier to mask the fraudster’s true intentions.

    QR codes can further the deception by “granting” access to the document that needs to be signed. In truth, the QR code sends scanners to a malicious website that captures any personal information entered. 

    This method can seriously affect people’s trust in QR codes, making them ask, “Are QR codes safe?”

    Malicious OneService Lite QR code in Singapore

    Malicious QR code in singapore

    Early into 2023, Singapore's Municipal Services Office (MSO) began receiving reports of a fake QR code mimicking the legitimate OneService Lite QR code.

    OneService is a platform launched by the Singaporean government that helps citizens submit their feedback to one singular portal. This facilitates the feedback process since concerned citizens don’t need to look up which agency or town council to contact. 

    Unfortunately, the fake QR code takes people to a feedback form where they must submit their personal information.

    This prompted the MSO to launch investigations into the matter. They and various town councils also initiated checks of every OneService Lite QR code and advised the public to verify the QR code's web address before submitting any information. 

    Are QR codes safe?

    With all these statistics and real-life examples of quishing, it’s easy to think that QR codes are too dangerous to use. But that couldn’t be further from the truth.

    While QR codes can provide access to malicious links, they don’t harm people. Just like a door, their only purpose is to let you in, even if the “room” you are entering can be dangerous.

    With a dynamic QR code generator online, you can guarantee safe and trustworthy QR codes. The best ones often use the most advanced safety tools, such as 2FA, internal audits, and 24/7 monitoring.

    How else to secure QR code and be safe? By using another dynamic feature called password protection. Dynamic QR codes, are more advanced they come with a password. 

    If the password you know doesn’t work, you will be kept from accessing QR code content. When it comes to fake QR codes, this will keep you safe.

    QR code scanners also show previews of the links embedded within QR codes, which is another layer of security you can use to avoid malicious attacks. 

    To spot a secure link, look for a “lock” symbol when previewing it. This symbol means the link is encrypted and secured by a Secure Sockets Layer (SSL) certification.

    What you must do to avoid quishing attacks

    To keep yourself from falling victim to quishing attacks, keep the following in mind before scanning QR codes:

    • Avoid scanning QR codes located in random or suspicious areas.
    • If you are in a public area, check for signs of tampering with the QR code.
    • Look for common indicators of a scam in emails that come with QR codes (bad grammar, typos, blurry images)
    • If the QR code asks for sensitive information, consider whether it is necessary to obtain what the code is supposed to give you.
    • Always check the URL address your camera or QR code scanner shows you after scanning a QR code. If the link looks suspicious, don’t access it.

    Free ebooks for QR codes

    Create safe and trustworthy QR codes with QR TIGER

    If you’re considering using QR codes in your personal or professional life, you should always ensure the codes you generate are safe and secure. 

    We’ve covered how to do that. What you need to do next is find a safe, secure, and trusted QR code platform. 

    QR TIGER's system complies with GDPR and CCPA regulations and the security standards in ISO-27001, giving you secure, editable, and trackable QR codes. 

    We also offer a whole host of other features: password protection for your QR codes and two-factor authentication for your account. With these, you can rest assured that your scans are safe with us.

    Armed with key QR code phishing statistics and examples, your QR codes will be safe to use and trusted by all.Brands using QR codes

    Resources
    QR Code vs Barcode
    Dynamic QR Code
    Bulk QR Codes
    URL QR Code
    vCard QR Code
    PDF QR Code
    File QR Code
    Google Form QR Code
    Wi-Fi QR Code
    Video QR Code
    Social Media QR Code
    Image QR Code
    Multi URL QR Code
    App Stores QR Code
    Analytics QR Code
    Link Page QR Code
    Menu QR Code
    Landing Page QR Code
    MP3 QR Code
    Facebook QR Code
    Youtube QR Code
    Instagram QR Code
    Pinterest QR Code
    Email QR Code
    Text QR Code
    SMS QR Code
    Event QR Code
    Location QR Code
    Digital Business Card QR Code
    White Label QR Code Generator
    qr code generator
    This QR Code Generator is a registered trademark of QR TIGER PTE. LTD..
    'QR Code' is a trademark of DENSO WAVE INCORPORATED. © 2025 www.qrcode-tiger.com