The Complete QR Code Security Guide: How to Stay Safe in 2025

QR codes are embedded in the fabric of daily life. You scan them to pay for coffee, check into flights, connect to WiFi, and open restaurant menus. That ubiquity is exactly what makes them dangerous. In 2024, QR code phishing attacks surged by 587% according to research from Abnormal Security, making QR-based threats one of the fastest-growing vectors in cybersecurity. This guide covers everything you need to know to scan safely.

How QR Codes Work

A QR (Quick Response) code is a two-dimensional barcode that encodes data as a grid of black and white modules. Originally invented by Denso Wave in 1994 for tracking automotive parts, QR codes can store up to 4,296 alphanumeric characters in a single image. When you scan a QR code, your device decodes that pixel pattern back into text, which is most often a URL.

The critical security detail is that you cannot read a QR code with your eyes. Unlike a printed hyperlink where you can inspect the URL before clicking, a QR code is opaque until decoded. That asymmetry between visibility and action is the root of nearly every QR-based attack.

The Growing QR Code Threat Landscape

The pandemic accelerated QR adoption by years. Contactless menus, vaccination passports, and digital check-ins normalized the scan-and-go pattern for billions of people. Attackers noticed. According to data from multiple security research firms, QR-related threats have escalated rapidly:

• 587% increase in QR phishing (quishing) attacks in 2024 (Abnormal Security)
• 51% of users report scanning QR codes without verifying the source (Ivanti)
• Email-based QR attacks bypass traditional link scanners because the URL is embedded in an image, not in parseable text
• Physical QR overlay attacks require no hacking at all — just a sticker placed over a legitimate code

The combination of user trust, inability to visually inspect payloads, and the ease of creating malicious codes makes QR a near-perfect social engineering channel.

8 Types of QR Code Attacks

1. Quishing (QR Phishing)

The attacker sends a QR code — via email, flyer, or poster — that links to a credential harvesting page. The fake site mimics a login portal for Microsoft 365, Google Workspace, or a banking service. Because the QR code is an image, email security gateways that scan URLs in message bodies miss it entirely.

2. QR Code Overlay (Stickering)

A malicious QR sticker is placed on top of a legitimate one. Parking meters, restaurant tables, and public transit stops are common targets. The victim trusts the context — "it is on the parking meter, it must be real" — and scans a code that redirects to an attacker-controlled payment page or phishing site.

3. Malicious URL Redirects

The QR code points to a seemingly benign short URL (like a bit.ly link) that redirects through multiple hops before landing on a malicious destination. URL shorteners add an extra layer of obfuscation, making it harder for the user to evaluate the final target.

4. WiFi Network Spoofing

QR codes can encode WiFi credentials in the format WIFI:T:WPA;S:NetworkName;P:password;;. A malicious code could auto-connect your device to a rogue access point controlled by the attacker, enabling man-in-the-middle attacks on all your subsequent traffic.

5. Payment Fraud

Attackers replace legitimate payment QR codes with their own. This is especially prevalent in markets where QR-based payments are standard (much of Asia, parts of Europe, and growing in the US). Victims send funds directly to the attacker's account.

6. Social Engineering QR Codes

A QR code on a fake "urgent security notice" or "package delivery" card prompts the user to scan and follow instructions on a malicious page. The sense of urgency bypasses critical thinking — a classic social engineering tactic delivered through a novel medium.

7. Malware Delivery

On mobile devices, a QR code can trigger a download prompt for a malicious APK (Android) or direct the user to a page that exploits a browser vulnerability. While modern mobile operating systems have robust sandboxing, sideloaded apps remain a risk on Android devices where "Install from unknown sources" is enabled.

8. Data Harvesting

Some QR scanner apps themselves are the threat. They request excessive permissions — contacts, location, storage — and upload scanned data to remote servers. The user installs the app to scan a code and unknowingly provides the app with ongoing access to their device data.

5 Red Flags of a Suspicious QR Code

1. Physical tampering. Look for stickers placed over original codes, misaligned printing, or a code that appears to have been pasted on after the fact. Legitimate QR codes in commercial settings are usually printed directly onto the material.
2. Unsolicited delivery. A QR code that arrives in your email, text message, or mail that you were not expecting should be treated with the same suspicion as an unexpected link. If a "bank" emails you a QR code, call the bank directly.
3. No context or branding. Legitimate QR codes are typically accompanied by branding, a description of what you will see when you scan, and contact information. A bare QR code on a plain sticker is a red flag.
4. Urgency or threats. "Scan immediately to avoid account suspension" is textbook social engineering. Legitimate organizations do not require you to scan a QR code under time pressure.
5. The decoded URL looks wrong. After scanning, inspect the URL before opening it. Does it match the expected domain? Look for subtle misspellings (g00gle.com), excessive subdomains (login.microsoft.com.attacker.xyz), or non-HTTPS schemes.

7 Safe Scanning Practices

1. Use a scanner that shows the URL before opening it. This is the single most important defense. If your scanner automatically opens links in a browser without previewing them, switch immediately. PrivyQR displays the decoded content and lets you decide what to do with it.
2. Inspect the URL carefully. Check the domain, look for HTTPS, and be wary of URL shorteners. If the link goes through a shortener, consider expanding it first using a service like CheckShortURL.
3. Check for physical tampering. Before scanning a public QR code, run your finger over it. If it is a sticker placed on top of another code, do not scan it.
4. Do not scan QR codes from untrusted emails. If you receive a QR code via email, even from what appears to be a known sender, verify through a separate channel before scanning.
5. Keep your device updated. Operating system and browser updates patch known vulnerabilities that could be exploited via malicious landing pages.
6. Use a privacy-first scanner. Avoid apps that require an account, request unnecessary permissions, or send scanned data to remote servers. Client-side scanning eliminates the data exfiltration risk entirely.
7. Enable multi-factor authentication everywhere. If a phishing attack does capture your credentials, MFA prevents the attacker from using them to log in.

Why Client-Side Scanning Matters for Security

Most QR scanner apps operate on a simple model: your camera captures the code, the app decodes it, and the result is often sent to a server for analytics, ad targeting, or "threat analysis." That server-side hop creates a new attack surface — and a privacy risk.

Client-side scanning, the approach used by PrivyQR, processes the QR code entirely within your browser. The image data never leaves your device. There is no server to breach, no analytics pipeline to leak your scan history, and no third-party dependencies that could be compromised. It is a fundamentally more secure architecture for a task that does not require server involvement.

For a deeper dive into the privacy implications, see our article on why privacy matters when scanning QR codes.

Business Implications and Enterprise Scanning Policies

Organizations face unique QR code risks. An employee scanning a malicious code on a corporate device could provide an attacker with a foothold on the enterprise network. QR codes on conference badges, in lobbies, or on marketing materials represent an attack surface that most security policies do not address.

We recommend that enterprises develop a formal QR code security policy covering approved scanning tools, employee training, physical security for printed codes, and incident response procedures for QR-based attacks. For a detailed framework, read our guide on QR code security for business.