This October, in celebration of 2025 Cybersecurity Awareness Month and its theme “Stay Safe Online,” we’ll be sharing weekly resources — including blog posts, training videos, and infographics. Each release will spotlight key topics to help strengthen your internal cybersecurity campaigns.
In less than a decade, we’ve gone from QR codes being relatively unknown amongst the masses to being so commonplace that even my mom knows what they are. They’re in restaurants, on signposts, in magazines, on television, and even in our email. We use them to fill out forms, access menus, or easily find websites. So accustomed to them, that we don’t think twice about whipping out our phones, pointing our cameras at those little squares, and accessing the data associated with them. This familiarity is a double-edged sword, QR codes are a fantastic tool for communication, but they can be dangerous in the wrong hands. How do we trust the data behind the code? Let’s dig into that.
Before we get started, let’s make sure that we’re all on the same page. What is a QR code? According to Wikipedia, “A QR code, short for quick-response code, is a type of two-dimensional matrix barcode invented in 1994 by Masahiro Hara of the Japanese company Denso Wave for labelling automobile parts.” Interestingly, the same Wikipedia page gives us some insight into QR code adoption. In June 2011, 14 million Americans had scanned a QR code or barcode, by 2022 that number climbed to 89 million Americans. According to QRCodeChimp, 44.6% of internet users worldwide scan at least one QR code each month.
Here is an example of a QR code that will direct you to the Fortra website (https://www.fortra.com). Simply point your cell phone camera at the image to see it in action.
Now that you know what a QR code is, let’s talk about the risks associated with QR codes. We’re going to talk about three specific areas – QR codes in public, QR codes on the internet, and QR codes in email. Currently, the most prolific threat happens to be QR codes in your email, which is why this blog will focus primarily on email QR codes, but the other two are also worthy of some discussion.
QR Codes in Public
It feels like QR codes are unavoidable. Some restaurants provide their menu via QR codes, movie theaters may display QR codes to download the theater’s app to play along with the pre-movie quiz, and even lamp posts can be covered in flyers containing these seemingly innocuous little codes.
But these little squares containing multitudes of tinier squares can be quite dangerous. Just like a malicious link in a phishing email, they’re designed to lure you in and convince you to take action. You need to be careful before you follow a URL provided by a QR code to ensure you know where that URL is going. If it is a shortened URL (like a tinyurl or a bitly address), it is even harder to know if you can trust the end result. For that reason, you must exercise caution when visiting these links or scanning the QR codes.
Since QR codes are simple to generate and stickers are cheap to produce, malicious actors will sometimes produce fake QR code stickers to place over the real QR codes, allowing the presentation of the code to add an air of authenticity. Always double check what you are scanning and verify before you open any links, email any email addresses, or call any phone numbers.
QR Codes on the Internet
You’re browsing a website, and a pop-up presents you with a QR code… what do you do? Personally, I would ignore it. There are very few legitimate reasons why a QR code needs to be contained on a website. Most of the time, I would tend to conclude that it was likely a scam or a malicious actor and steer away.
Where might you find valid QR codes on the internet? When browsing vendor documentation, reading a PDF report, or looking at a slide show. QR codes are a quick way to direct you to a mobile app, link you to the source of a report, or provide contact information at the end of a presentation.
When you find yourself in a situation where you are presented with a QR code on the internet, ask yourself if it makes sense. Was it the only way to convey the information or the fastest way to convey the information? Typically, a webpage could just present a link instead of a QR code, so there needs to be a valid and justifiable reason as to why the QR code was used. Accessing a mobile app or obtaining a presenter’s contact information after a presentation are two very justifiable reasons to have a QR code.
QR Codes in Email
Sometimes I forget just how long I’ve been using the internet, but in the 30+ years that I’ve been on the internet, I’ve sent and received email. That’s a lot of email messages and, in all those years, I’ve never once received a valid email containing a QR code. Yet, somehow, we have the term “quishing” to define QR code phishing.
My general rule is that a QR code doesn’t belong in email and, if I see one, I’m immediately on edge questioning why it exists. I would never reach for my phone and scan the QR code. Instead, I would assume a malicious actor has sent me an email that I need to avoid. However, we’ve been trained, through all the other uses of QR codes, to scan them and react to them. That training, combined with the psychology of phishing makes the quishing email particularly dangerous.
So, if you see an email in your inbox that contains a QR code, think twice about it. Who sent it? Why did they send it? Were you expecting to see it? If you can’t answer the questions, steer clear. It is better to be safe than sorry, and quishing is one of those places where it is quite easy to find yourself in a less-than-ideal situation with one misclick.
At the end of the day, QR codes are a great way to convey information. They are useful in our day to day lives. I’ve used them in advertisements in comic books as a quick way for readers to access the material I’m advertising, and they work great. However, just like a URL, you need to trust the destination. You need to know that you will end up somewhere safe. Scanning an unknown QR code is a lot like walking down a dark alley in the bad part of town, fanning yourself with hundred-dollar bills. You should be safe to do it, but it is not a wise choice to make when bad actors are around. So, think twice about scanning that QR code, and, if you do scan it, think again about the destination data associated with the scanned item. If you aren’t sure, don’t take the risk.
Learn how cybercriminals exploit QR codes to launch quishing scams, and what you can do to stay safe. Click here to access a printable PDF.
