Is that QR code a trap? How to spot quishing scams before it’s too late


qrpurple-gettyimages-1371105440

BlackJack3D/ iStock / Getty Images Plus via Getty Images

Follow ZDNET: Add us as a preferred source on Google.


ZDNET’s key takeaways

  • The QR code in your email or attachment could be a scam.
  • QR code phishing bypasses MFA, leading to data theft.
  • How quishing attacks work, and what you can do to stay safe. 

Ever had a QR code land in your inbox and curiosity get the better of you?

When we think of phishing and scams, many of the oldest tricks are those we still encounter daily — emails claiming we have long-lost relatives who’ve left us an inheritance; ‘Facebook’ warning that our accounts will be frozen unless we reply promptly; fake lottery wins; and unwanted solicitations from so-called investors willing to transfer us millions of dollars. 

Also: Mobile phishing is a bigger threat than email now

However, times are changing. Recruitment scams are becoming sophisticated enough to convince job seekers to engage; AI is being used to humanize and improve phishing attempts and even automate entire attack chains; and now, an attack vector is emerging that weaponizes QR codes to bypass multi-factor authentication (MFA), steal our data, and hijack our accounts.

Quishing: QR fraud on the rise

Quishing, or QR code-based phishing, embeds malicious links in QR codes to bypass traditional phishing filters and slip through security nets. The lure is the same: create a sense of urgency, appeal to our greed, instill fear and panic, or promise rewards for scanning the QR code with our phones and clicking the embedded link to visit an online page or platform. 

Also: Microsoft goes all in on new AI-powered Windows security strategy

A QR code phishing scheme can take many forms. A fake message from your bank, an email congratulating you on a lottery win, or an urgent message from your social media provider. Once you’ve scanned the code and clicked the link, you could end up in a domain designed to steal your data or compromise an account you own.

According to Hoxhunt’s 2026 Phishing Trends Report, basic QR-code phishing messages via email are on the decline, but they are re-emerging as an attack vector hidden in scam email attachments, such as in malicious PDFs. 

Overall, QR code phishing attacks increased by 25% year-over-year. It’s not just digital spaces, either, as QR codes have also been spotted in physical spaces, embedded in posters or emblazoned on fake business cards, according to the report. 

How attackers dodge MFA defenses

Hothunt’s research is supported by a June notice from Google’s Trust & Safety team warning that traditional email attack vectors are being replaced by adversary-in-the-middle (AITM) and quishing attacks.

Quishing pairs with AITM by disguising malicious links in a format that’s hard to read or detect by security filters. According to both Google and Microsoft, this is how it works: You receive a quishing email, and curiosity lures you into scanning the code. You are then sent to a cloned website that appears to be the domain of a trusted service, such as a bank, financial services provider, or even a work platform. 

Also: How to make a QR code for free

You then submit your credentials, allowing the attacker to bypass existing multi-factor authentication (MFA) protections because you believe you are logging into a trusted website. They can then capture your password and session token, leading to data theft, account compromise, and more. 

What makes this tactic more dangerous than traditional phishing, especially for businesses, is that victims use their handsets to scan a QR code, bypassing network-based security and safety nets, such as phishing detection.

The Microsoft Defender team has observed QR code-based cybercriminal campaigns growing from 10% to 30% of total phishing campaigns in recent months. 

How to avoid falling for QR-code phishing

As QR codes hide destinations, links, and content in an image-like format, we can’t see what is in them or verify their origins easily — which is why blindly scanning and following a QR code is risky.

QR codes, especially those you aren’t expecting, should be treated with the same suspicion as emailed links or attachments. Just because the format is different, the phishing angle remains the same: to coerce or exploit a victim’s curiosity and lure them into clicking and visiting a malicious online resource. The only difference here is the delivery mechanism — instead of a straightforward link or file, a victim uses a camera to scan.

Also: The best malware removal software: Expert tested and reviewed

The best advice here is to stay cautious. If you receive an email containing a QR code that appears to be from your bank, visit your bank’s official website in a separate tab or open your bank’s mobile app. Even if a message seems legitimate, for safety and security, you should not click links, open attachments, or scan QR codes unless you are completely sure the source is legitimate and the message’s contents are safe.

Keep in mind, too, that QR code threats aren’t limited to emails. See that QR code sticker slapped on a lamp post near your favorite store? Even physical QR code stickers can harbor a serious threat to your privacy and security. 





Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


Google Pixel 10a

Kerry Wan/ZDNET

Follow ZDNET: Add us as a preferred source on Google.


ZDNET’s key takeaways

  • Android 17 is here, along with the June Pixel Drop.
  • The OS is rolling out to Pixel devices first.
  • Users are getting upgraded productivity, security, and more.

Android 17 is officially here, and it’s a doubly good day for Pixel users, as it’s bringing the June Pixel Drop with it.

Google has rolled out its annual OS update and its latest collection of Pixel-exclusive features at the same time, and the updates pack not only some practical features that will make an impact on how you use your phone daily, but also security protections, some new translation tricks, and more. Pixel Watches — the 2 and later — are included, too, with a potentially life-saving feature addition.

Also: I’m a devoted iPhone user but Android 17 is tempting me with its new video and social features

Here’s a look at what’s new in Android 17, which starts rolling out today to Pixel phones first and then to other devices “throughout 2026,” along with what’s new in the June 2026 Pixel Drop.

What’s new in Android 17?

Since many manufacturers now offer longer update windows, usually 4 to 7 years, a wide range of devices are eligible. The updated OS starts rolling out today to Pixel 6 phones and newer. Samsung’s Galaxy S23 series and newer will get it as One UI 9, along with the Flip 5 and newer, Galaxy A24 and newer, and Tab S9 series. OnePlus will bring Android 17 to the OnePlus 11 and newer.

1. App Bubbles

Perhaps the most useful feature is Bubbles, which lets you turn any app into a floating bubble on your main screen. All you have to do is long-press an app, and it becomes an easy-to-access bubble. If you consistently switch back and forth between apps or need to access a certain app often, like a map or airline app while you’re on a trip, you can now find what you need more quickly.

Pixel Folds are getting a special Bubble Bar at the bottom of the screen that lets you organize, move, and access your recent bubbles from one dedicated space.

2. Additional security

Android 17 is also bringing boosted security. 

To start, you can now grant an app temporary access to your exact location and share only specific contacts. 

Additionally, an enhanced “Mark as lost” feature, located in Find Hub, lets you lock a missing phone with your biometrics, so even if a thief has your passcode, they can’t access anything on your device or turn off tracking. 

Improvements to Live Threat Detection block more suspicious apps and scams, Google explained, and enhanced Advanced Protection mode helps keep you safe from sophisticated threats. Lastly, Google is reducing the number of times someone can attempt to guess your PIN and adding longer wait times between failed attempts.

Also: How to clear your Android phone cache – the 30-second routine every user should be doing

3. Screen reactions and more

Also new is Screen Reactions, which lets you take a selfie video overlaid on a screen recording in lieu of a green screen; a 50/50 gaming mode with a dynamic pad for foldables; and built-in parental controls beyond Pixel devices, so you can set screen time limits and content filtering with a PIN, even if you don’t link your Google Account.

What’s in the June Pixel Drop?

Beyond Android 17, Pixel users are getting several Pixel-specific upgrades in the June Pixel Drop.

1. Custom greetings for Take a Message

Introduced in 2025, Take a Message expands on the Pixel call screening feature and gives you a real-time transcript of what the caller is saying, along with AI-generated follow-up steps. Now, Take a Message has custom greetings, letting you record a personalized outgoing message instead of the default voice.

2. New AI models

Two new AI models are making their way to Android phones. The first is Gemini Omni, a new way to create and edit videos. Gemini Omni lets you type in a prompt and get a custom, high-quality video. This is available on all devices with the Gemini app for Gemini Pro users only.

Also: Everything we saw at Google I/O: Gemini 3.5, Android XR glasses, Spark, and more

Also on the way is Lyria 3, which lets you create original tracks using text prompts or images as inspiration. You can prompt Gemini with the style, vocals, and tempo you want. This is coming to all Android 17 Pixel phones and Folds.

3. Voice Translate for the Pixel 10a

One of the Pixel 10 series’ exclusive features is Voice Translate, which provides a real-time translation on phone calls in the speaker’s voice. ZDNET’s Sabrina Ortiz tried the feature last fall, noting how quickly the feature worked and how well it copied her voice. Voice Translate is getting a small expansion, coming to the Pixel 10a.

Also: iOS 27 envy? 4 features you can already use on an Android phone (including Samsung models)

4. Android Quick Share expansion and more

Pixel users are also getting an expansion of Android Quick Share compatibility with AirDrop, coming to the Pixel 9a and Pixel 8a, and an expansion of Magic Cue to more apps, coming to the Pixel 10 series.

What’s new for Pixel Watches?

Pixel Watches are only getting one new feature, but it’s a potentially big one. Core detection features, including Car Crash Detection, Fall Detection, and Loss of Pulse Detection, are getting emergency sharing. If a severe event is detected, Google explains, your Pixel will call emergency services and notify your chosen contacts. You can toggle emergency contacts on or off for each type of event.

Also: This silent Android feature scans your photos for ‘sensitive content’ – how to uninstall it

Fall Detection is coming to the Pixel Watch, plus the 2, 3, and 4, while Car Crash Detection is coming to the Pixel Watch 2, 3, and 4. Loss of Pulse Detection is only coming to the last two generations, the Pixel Watch 3 and 4.





Source link