QR codes are everywhere: restaurants, transportation, advertisements… and, unfortunately, also in cyberattacks. Their ease of use has made this technology a powerful tool for cybercriminals. More and more scams are using QR codes to deceive users in a technique known as QRishing (phishing through QR codes).

How Does QRishing Work?

Attackers create malicious QR codes and distribute them through various means, such as:

  • Emails: Containing QR codes that redirect users to fraudulent websites.
  • PDF Documents: Files embedding deceptive QR codes.
  • Physical Posters: Stickers or printed materials placed in public locations that lead to malicious sites.

When scanning these codes, the user may be directed to:

  • Fake websites imitating legitimate platforms like banking services or social media, aiming to steal credentials.
  • Malware downloads that compromise device security.
  • Sites running malicious scripts or requesting permissions to access sensitive information.

Example of QRishing via email
QR codes mimicking Microsoft for two-factor authentication setup

In February 2025, QRishing campaigns were reported where cybercriminals impersonated delivery services and banks, sending fraudulent emails with QR codes that redirected users to fake login pages to steal credentials and banking information. These tactics have proven to be highly effective, as users often trust the authenticity of a QR code without questioning its origin1.

Why Is It Dangerous?

  • Difficult to detect: Traditional security systems do not analyze QR codes, as they are considered images, not links.
  • Lack of visibility: The user cannot see the URL before accessing it, increasing the risk of being deceived.
  • Use of personal devices: Many people scan QR codes with their personal phones, which may have fewer security measures than corporate devices.

According to cybersecurity experts, the use of QR codes in phishing attacks has increased significantly in recent months. Campaigns have been detected targeting both individuals and businesses, where attackers send emails with malicious QR codes to steal credentials or install malware2.

How to Protect Yourself

  • Verify the source: Be cautious of QR codes in emails or public places that do not come from a trusted source.
  • Use secure scanning apps: Some apps allow you to preview the URL before opening it.
  • Do not enter sensitive information: Avoid providing credentials or personal data on websites accessed via a QR code without verifying their authenticity.
  • Cybersecurity awareness training: Implement security awareness programs so employees can recognize and avoid these attacks.

Continuous Security for Businesses

Cybersecurity is an ongoing process. At Flameera, we offer solutions to protect businesses from threats like QRishing:

  • 24/7 Monitoring: Detecting and responding to suspicious activities in real time.
  • Training and awareness programs: Conducting QR phishing attack simulations to train employees.
  • Vulnerability analysis: Identifying and fixing weaknesses in the company’s infrastructure.

Is your company prepared to face these threats?

Contact Us

At Flameera, we help strengthen your team’s security and prevent them from falling for these scams.

  1. Atención a los códigos QR en los correos electrónicos: los hackers los usan para robar datos - El Confidencial Digital 28/02/2025 ↩︎

  2. QR, Whale Phishing e IA: Evolución de la Ingeniería Social - Silicon 25/02/2025 ↩︎