QR code scams rise as 73% of Americans scan without checking

Fox News

07-08-2025

By now, many of us have used QR codes as a way to quickly access menus, check into places, and make payments. But now, these convenient and contactless methods have become an easy target for cybercriminals. There has been a recent surge in "quishing" attacks, which are a form of phishing that uses QR codes instead of traditional methods like emails, text messages, and phone calls.
Quishing is proving effective, too, with millions of people unknowingly opening malicious websites. In fact, 73% of Americans admit to scanning QR codes without checking if the source is legitimate. As experts warn, this growing trend could put people's personal information and money at risk.
Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM/NEWSLETTER.
NordVPN's security researchers report that fake QR codes have tricked over 26 million people into visiting malicious websites. These codes hide in plain sight, too. In one case, they were stuck on top of payment portals, sending unsuspecting individuals to sites meant to steal their personal and financial data (e.g., passwords and credit card information). Some even installed malware on people's phones.
Even government agencies have taken notice. The FTC warned the public earlier this year that cybercriminals are now attaching harmful QR codes to packages and sending them to people. The New York City Department of Transportation issued warnings about fake QR codes appearing on parking meters of all places. Even Hawaii Electric chimed in, as they noticed scammers are using QR codes to steal payments.
These tactics mirror the ATM skimmer scam, where criminals place keypads designed to log keystrokes over an ATM to steal card information. But with QR codes, this tampering is harder to spot and easier to implement.
The original purpose of QR codes was to track auto parts, so making them secure wasn't part of the plan. Their widespread use today has made them irresistible to scammers. Unlike traditional phishing methods, they make it easy for cybercriminals to hide their destination until scanned, removing an important layer of user scrutiny.
Hackers are leveraging this ambiguity to deploy Remote Access Trojans (RATs) and infiltrate personal devices, including military networks. More than 26% of malicious links now come via QR codes, according to KeepNet Labs, a cybersecurity company specializing in AI-driven phishing simulation and human risk management. Soon, quishing will outpace conventional phishing.
If you scan QR codes regularly, you might be panicking. But don't be, since the same tricks for avoiding phishing scams can also work here.
Pause and consider the origin of every QR code before you pull out your phone. Quishing thrives on people scanning codes found on public signage, restaurant tables, packages, or payment terminals without questioning their authenticity. Cybercriminals often cover genuine QR codes with malicious ones that redirect users to fake websites meant to steal personal and financial information. Always ask yourself: Do I trust this location or the person who provided this QR code? If in doubt, don't scan.
Consider using a reputable personal data removal service. These services routinely scan the web for your personal details (like addresses, phone numbers, and emails), removing them from public databases where cybercriminals might collect information to personalize their quishing lures.
While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com/Delete.Get a free scan to find out if your personal information is already out on the web: Cyberguy.com/FreeScan.
Inspect the QR code's placement. Sophisticated scammers physically overlay fake QR codes on legitimate signs, especially on payment kiosks, parking meters, and package labels. If the QR code looks tampered with or is a sticker poorly placed over another code, avoid scanning it, as this is a common quishing tactic to redirect you to a malicious site.
After scanning any QR code, double-check the URL before clicking through. One of quishing's dangers is that QR codes obscure their destination until scanned. If the web address looks suspicious, misspelled, unusually long, or filled with random characters, close the browser immediately. Never enter sensitive details like passwords or credit card information on a site you weren't expecting to visit.
Install strong antivirus software across all your devices. Look for a solution that offers real-time protection, regularly updated threat databases, and built-in web protection. These tools can help detect malicious content hidden in QR codes and block dangerous websites that might automatically open after scanning. Since QR codes are increasingly used by cybercriminals to spread malware like Remote Access Trojans (RATs), having strong antivirus software in place is essential. To stay fully protected, make sure the software is set to update automatically and scan regularly.
Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices CyberGuy.com/LockUpYourTech.
Even if attackers capture your credentials via a fake QR code, two-factor authentication creates an extra barrier. Always activate 2FA on your accounts, especially for email, banking, and other sensitive services. It thwarts many of the most damaging results of phishing, including those initiated by QR code scans.
Whenever possible, manually navigate to websites instead of using a QR code, especially for payments, reservations, or account access. Searching for an event, restaurant, or service online reduces the chance of being tricked by a malicious redirect or fraudulent site.
Frequently update your phone's operating system and apps. Criminals often exploit software vulnerabilities, and manufacturers regularly issue security patches. Up-to-date devices are less susceptible to malware installed via malicious QR codes.
If you encounter what you believe to be a fraudulent QR code or fall victim to a quishing attempt, report it immediately to the organization involved and your local authorities or consumer protection agency. Your report helps others avoid similar attacks and keeps organizations alert to evolving scam tactics.
By applying these steps, you make it significantly harder for cybercriminals to use QR codes as a gateway to your personal or financial information. In a world where 73% of Americans scan QR codes without checking the source, increased caution is your first and best line of defense against the quishing surge.
QR codes are super convenient, but the risks they bring are becoming impossible to ignore. And you can count on scammers getting more creative as time goes on. That doesn't mean you have to stop using QR codes altogether, it just means staying informed and cautious is a must, because QR codes aren't going anywhere anytime soon.
Will you avoid QR codes from now on, or will you be extra cautious moving forward? Let us know by writing to us at Cyberguy.com/Contact.
Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM/NEWSLETTER.
Copyright 2025 CyberGuy.com. All rights reserved.