QR codes were designed to make life simple: scan, click, done. But in 2024 and 2025, criminals have weaponized this convenience through a rising attack called “quishing” (QR phishing). The scam works by tricking people into scanning malicious codes that lead to credential-harvesting sites or malware downloads. Unlike traditional phishing emails with suspicious links, quishing bypasses many security filters because the dangerous URL is hidden behind a QR code image.

Attackers slip these codes into emails, posters, fake parking meters, or even restaurant menus. Once scanned, victims are directed to what looks like a familiar login page—Microsoft 365, Google, or a bank portal—and asked to “verify” credentials. In January 2025, security researchers reported a surge in quishing campaigns targeting corporate employees, with attackers embedding malicious QR codes into invoices and HR documents sent via email. One U.S. city government also disclosed that scammers pasted fake QR code stickers on parking meters, redirecting drivers to fraudulent payment pages.

Why does this work so well? Humans are conditioned to trust QR codes as neutral technology, and most mobile devices don’t show the full URL before loading the site. For businesses, the risk is even greater: a single compromised employee can expose company email, cloud storage, and sensitive files. Defending against quishing requires a mix of awareness and technical safeguards. Users should preview links before opening (many phones allow long-press to display the URL), avoid scanning codes from unverified sources, and be skeptical of QR codes received in email attachments. Organizations should implement mobile device protections, URL filtering, and employee training specifically addressing quishing.

Ultimately, quishing is a modern twist on an old trick—social engineering—but one made more dangerous by the fact that it hides in plain sight. The message is clear: in 2025, even a simple scan can be the start of a cyberattack.