In this article, we’ll look at QR (Quick Response) code scams and the risks they bring to your users and your business. We’ll discuss how QR code scams work, different flavors to look out for, and why they’re such a great way for criminals to fool us.

Just like with any threat, the best way to protect your business is to make sure it never shows up in front of your users, so we’ll also go into how Hornetsecurity’s Advanced Threat Protection (ATP) (Which includes our new and unique QR code analyzer) works to protect your business, as  we combat QR code phishing with the launch of unique new technology.


Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

A Quick Response way to get compromised

Let’s start with the basics. QR (Quick Response) codes were invented in Japan over 25 years ago to track car parts in the supply chain. Today QR codes are everywhere in our everyday life: want to see the restaurant menu on your phone? Just scan the QR code. Need to pay for your car parking?  Scan the QR code. Must sign into the venue for Covid-19 tracking? Scan the QR code. Need to pay a delivery fee for your parcel? Just scan the QR code in this email.

Hopefully, you see the pattern here; we’re training people to scan QR codes as a “normal activity” with the expectation of something good or useful happening as a result. Plus, unlike an actual website address at the bottom of a business card or a movie poster – we have no way to tell if the QR code leads to a legitimate site or experience or not.

Deciphering URLs in any case is very hard to do, and even experienced security professionals can’t easily tell if an address is safe or dangerous. But at least with a written-out web address, you have some chance of judging how trustworthy it looks – with a QR code you’re completely in the dark.

For QR codes you scan with your phone – make sure to use the preview feature  which shows you the URL that the QR code is pointing to before actually opening it in the browser.

Generating a QR code (and thus QR code scams) is easy; use any of the many free generators online. All you need to do is enter the URL you want to be embedded in the image, download the resulting QR code, and put it on your restaurant menu or in your email footer.

For example, this QR code leads to Hornetsecurity’s home page, but there’s no way to tell that by looking at it:

QR Code example

There’s no such thing as a malicious QR code itself; it’s the target of the link that might be a promotion for a new product, with the opportunity to win a new laptop or a phishing site that’ll steal your information for criminal purposes. So, whenever someone talks about legitimate QR codes or a fake QR code, they’re referring to the target URL of the QR code image.

The links in QR code scams can also lead to a file download(PDF, Word document, etc.) or an application that can contain malware that will infect your device. Once the infection takes place, the malware can continue to spread and conduct its illicit activities.

Other behavior that is seen is that scanning a QR code can create a new email in your mail program and send it *on your behalf*! Since it will be from you, it will increase the likelihood that the recipients will trust the content – which could be another malicious QR code. Surprise!

QR Code scams

classification of emails

The main attack vector in a business setting for targeted malicious QR code scams is via email. Other avenues to get the QR code in front of your users include printed snail mail marketing and of course, printing QR codes out as QR code stickers and sticking them over existing ones in restaurants, etc. around your office buildings.

This approach requires physical proximity and will also give a jarring experience for end users – if they’re expecting a cafe menu when they scan the QR code but get a site where they have to login, they’re much more likely to sense that something is off.

Hence, criminals will attempt to craft their QR code attacks so that it matches as much as possible with users’ expectations. Incidentally, QR scams of sticking fake QR codes on parking meters to harvest credit card details were successful in San Antonio and other US cities in recent years.

Here’s a breakdown of all the business email Hornetsecurity filtered in 2022 from our 2023 Cyber Security Report. As you can see just over 40% was unwanted and out of that, 5% was malicious.

Also from our 2023 Cyber Security Report, here’s the breakdown of different email attack techniques in 2022.

The reason email-borne QR code scams are on the rise is because most email filtering systems are very good at catching standard malicious links. The way this attack typically works is an attacker compromises a legitimate website and uses it to send out emails with normal text links to the site embedded along with some enticing reason for the user to click the link.In many cases, malicious payloads are hosted there for the users to unknowingly download malware.

Alternatively,the site shows a “real looking” login page to harvest the user’s username, password, and potentially other sensitive information.

That all said, most email hygiene solutions cannot scan a QR code or images of any kind and thus are completely oblivious to the danger lurking in those little black and white QR code squares, increasing the risk that the attacker slips their malicious link through your defenses.

A common, generic (meaning it’s not customized to your organization, but simply sprayed out to millions of email inboxes) type of QR code phishing email attack is “failed delivery by FedEx” or a similar shipping company. Scanning the QR code will allow you to pay a fee to release the (non-existent) parcel.

Another variant is the failed payment lure, where you scan the QR code and then have to enter some details on a page to finalize a payment.

As you can appreciate, the hit rate on these types of attacks will be very low, but if you can send them out in sufficient numbers, even a small number of people falling for these QR codes can bring in serious amounts of money.

Attack Type Usage in 2022

What’s more concerning, however, is targeted QR code attacks (a form of spear-phishing) where phishing emails are customized to your organization and users, which if done well, can substantially increase the risk of compromise. The lures in these phishing emails will be especially compelling for your users, possibly matching other emails they are expecting, with content that is “normal” for them to deal with, perhaps containing financial information.

This could be because they’ve compromised an email system at another organization and have investigated what normal email traffic looks like and then spring QR code phishing scams, with an even higher likelihood of trust, as the email with the fraudulent QR code will be coming from a trusted business partner.

Stop malicious QR codes in their tracks

The new QR Code Analyzer is a unique feature of Hornetsecurity’s Advanced Threat Protection and is built in to help you avoid QR code scams. There aren’t even configuration options for it in the Control Panel, it just scans every single QR code in each email, follows the link, and verifies if it’s malicious or not. Simple!

Just like with any other malicious content in an email, emails with QR code scams will be blocked before they reach end-user mailboxes.

And that’s the mark of good security products; they do their work unseen in the background, keeping your users safe and protected, in this case from a QR code scam.

Learn more about Advanced Threat Protection and QR code fraud in our webinar.

Outside of business email, to complete the protection of your users from fake QR codes, include the following regarding QR codes in your regular cyber security awareness training:

  • Don’t ever pay invoices or fees via a QR code, wherever it’s displayed. Connect to the organization’s website in your browser instead and look up any required payment there;
  • Don’t use a QR code analyzer app for scanning QR codes on your phone; both the Android and iOS’s camera apps have this functionality built in;
  • Always use the URL preview after the QR code is scanned to see the link that the QR code sends before opening it in your browser;
  • If any link (from a QR code or otherwise) looks suspicious, pick up the phone and call to double-check before proceeding. Better safe than sorry. This is particularly important if the email or linked website’s URL deals with financial information.

Make sure you get the best email protection for your business’s Microsoft 365 tenant plus backup with Hornetsecurity’s 365 Total Protection; click here to start your free trial today!

To properly protect your Microsoft Office 365 environment, use Hornetsecurity Microsoft 365 Total Protection, 365 Total Backup, and 365 Total Protection Enterprise Backup to securely backup and replicate your Microsoft 365 critical data. 

We work hard perpetually to give our customers confidence in their Spam & Malware Protection, Advanced Threat Protection, Email Encryption, Email Archiving, and VM backup strategies.

To keep up to date with the latest Microsoft 365 best practices, become a member of the Hornetsecurity blog now (it’s free).

On top of that, our latest technology innovation to combat QR code scams is acknowledged by Dark Reading and Continuity Central.

Frequently Asked Questions

How does a QR Code Scam Work?

Since no one can visually see what URL a QR code image points to without scanning it and because QR codes are now becoming such a normal part of our lives, they’re an excellent way to trick users into opening a malicious URL. The scam itself can be a traditional phishing site, harvesting your bank or Office 365 or other site’s credentials, a download of malware, or anything else dangerous.

What's the easiest way to spot a QR Code Scam?

Carefully previewing the URL after scanning the QR code, but before proceeding, is your end user’s only protection, although it’s notoriously hard to read web addresses, especially if they’re shortened with bitly or similar services. As with any other scam, if there’s urgency in the email or site (“fill this in now or lose access in the next 12 hours!” or “only the first 100 hundred visitors are in with a chance to win”) that is a big red flag, designed to make you act from an emotional place, rather than rationally thinking through what’s on the page.

How can I protect myself from QR Code Scams?

Don’t use a QR code analyzer app (use the built-in camera app), don’t sign up for cryptocurrency schemes based on a QR code, and above all, use Hornetsecurity’s Advanced Threat Protection QR code scanner to make sure you don’t have to worry about fraudulent codes or bad QR codes in the first place.