Understanding QR code security issues for enterprise devices

What are QR codes?

People sometimes describe QR codes as 3D barcodes. They consist of a series of squares arranged into a much larger square, and function similarly to a barcode. While a barcode can normally only represent short alphanumeric strings, a QR code is able to store larger amounts of data.

QR codes are often used for advertising because they can store long strings of data, which makes them perfect for storing URLs. This capability has proved to be especially useful given the fact that smartphone use is so widespread, and they can act as QR code scanners. Practically anyone can scan a QR code and be taken directly to the corresponding website without the hassle of having to manually type out the site's address. As a result, advertisers prominently display QR codes on billboards, in magazines, on tradeshow booths and just about anywhere else where a QR code is likely to attract attention.

As QR codes have become common across retail, hospitality and enterprise environments, they're increasingly used to link users directly to online content and transactions. This widespread adoption has also made QR codes an attractive vector for attackers looking to redirect users to malicious destinations or trigger unintended device actions.

QR code security issues

Although QR codes have numerous useful applications, bad actors can also use them for malicious purposes. In July 2025, the FBI released a warning that cybercriminals might send out unsolicited packages containing a QR code. If a victim scans this malicious QR code, it directs them to provide personal information or download malware. Scammers often look to the latest trends for new cybercrime tactics.

There are two main types of QR code exploits that cybercriminals use. The first is a QR code-based phishing attack, which is sometimes called quishing. This attack uses a QR code to lure a victim to a phishing page that hackers have designed to steal the victim's credentials, personal data or other sensitive information.

The other main type of QR code attack is sometimes called QRLjacking. In this type of attack, hackers use a QR code to hijack an authentication session or redirect the victim to a malicious site. The attacker tricks the user into scanning a QR code that directs the user's device to a fraudulent URL, which captures the authentication token or session information and allows the attacker to take over the user's session.

Quishing uses QR codes to lure users into entering credentials on phishing pages, while QRLjacking uses QR-based login flows to hijack authenticated sessions without stealing passwords.

Besides these two basic types of attacks, QR codes can launch other types of actions at the device level. For example, a hacker might use a QR code to initiate a phone call or text message from the device that scanned the code. Under the right circumstances, hackers can even use QR codes to initiate a payment from the user's device or prompt the device to join a certain Wi-Fi network.

Why QR code exploits work

In the past, if cybercriminals wanted to launch a phishing scam or lure potential victims to a malicious website, they would typically resort to using email. The problem with this approach, at least from the criminal's standpoint, is that there are telltale signs that an email is not legitimate, such as misspellings or links to sketchy URLs. Oftentimes a phishing message will ask a victim to take actions that seem completely illogical. Some more audacious examples include demands to pay a delinquent tax debt using Apple gift cards, or messages stating that the recipient has won a nonexistent lottery and must click a link to claim their winnings.

Even when a phishing message is more convincing, there are always indicators that the message is illegitimate. Anyone who knows what to look for and who takes the time to scrutinize such a message will have no trouble determining that the message is fake.

This is not the case for QR codes. People can read a phishing email to vet it for suspicious elements, but QR codes present no such opportunity. When a person scans a QR code, they must inspect the preview of the destination URL to know whether the code is legitimate ahead of time. That's what makes QR code-based attacks so devastating. The basic elements of the attack are no different from an attack that hackers spread through email. Because many victims don't think to assess the validity of a QR code, however, a QR code-based attack is more likely to succeed than an email-based attack.

Another problem with QR codes is that hackers can easily replace a legitimate QR code with a malicious one. For example, if a restaurant provides QR codes that link to its menus, an attacker could simply create stickers containing malicious QR codes and then place those stickers on top of the legitimate QR codes. There have also been incidents in which hackers have replaced a legitimate QR code in an email message with a malicious one. There are even incidents in which random QR codes are placed in public places on the off chance that someone will become curious enough to scan the code.

How organizations can protect against the dangers of QR codes

There are three things that organizations must do to protect users against QR code-based attacks. Consider the following steps to avoid the potential consequences of a fraudulent QR code:

1. Make sure that users are running security software on any mobile device that has access to corporate resources. The software should be able to protect against device takeover attacks, phishing attacks and other mobile device exploits.
2. Educate users on the cybersecurity dangers associated with scanning QR codes. Otherwise, users might not realize that QR codes can be problematic. Organizations should also take steps, for example, to prevent QR code phishing attacks, as QR codes are increasingly embedded in physical and digital workflows.
3. Implement multifactor authentication requirements across the organization as an interim, and then gradually work on adopting an authentication system that does not rely on passwords. Many QR code-based attacks are designed to trick users into entering their passwords so that cybercriminals can steal their credentials. Working toward the elimination of passwords can help to thwart these types of attacks.

As QR codes continue to appear across physical spaces, digital communications and enterprise workflows, organizations should treat them as a form of social engineering rather than a one-off technical risk. Effective defenses combine user awareness, mobile security controls and strong authentication practices. Taken together, these measures help reduce the likelihood that a simple QR code scan becomes an entry point for broader enterprise compromise.

The following video provides additional context on how phishing techniques exploit user trust and urgency, including tactics that increasingly extend beyond email to mobile devices and QR codes.

Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.