QR codes are everywhere now. You see them on restaurant menus, emails, posters, bills, packages, and even login screens. Most people have learned to be careful about clicking suspicious links, but many still assume QR codes are safe.
New research shows that assumption can be a problem.
Researchers at Deakin University are warning that scammers are now using colorful and customized QR codes to trick people into giving away personal information. This type of scam is called “quishing,” which is simply phishing done through a QR code instead of a web link.

Why QR Codes Can Be Risky

When you click a normal link, you can usually see the web address first. Security systems can also check that link before you open it.
QR codes work differently.
You don’t see where they lead until after you scan them with your phone. That means both people and security software often miss warning signs.

Even worse, scammers are now making QR codes look decorative or professional so they don’t raise suspicion. These newer codes may use colors instead of black and white, include company logos in the middle, use rounded or artistic shapes, or blend images into the background of the code. They still scan perfectly, but they can hide dangerous websites.

A Growing Problem

Security reports show QR-code scams are increasing quickly. About 22 percent of QR-related attacks are now phishing scams. Studies show that 73 percent of Americans scan QR codes without checking where they lead, and more than 26 million people have already been redirected to harmful websites through QR scans.

Government agencies are taking notice. The Federal Trade Commission has warned people to be cautious about QR codes found on unexpected packages, and New York City officials recently discovered fake QR codes placed on parking meters that were designed to steal payment information.

Hackers, including organized international groups, have also used QR codes in emails that send victims to fake login pages meant to steal passwords for services such as Microsoft 365 and workplace systems.

Why Phones Make It Harder to Catch

Many QR scams work because people scan codes using their phones. Once scanned, the phone opens a webpage directly, often skipping safety checks that computers or email systems might normally perform.
Some scams also send users through several website redirects to hide the real destination, making detection even more difficult.

A Possible Solution

Researchers are now developing tools that check a QR code before it opens a website. One new system looks at how the QR code is built, not just where it goes, and warns users if the design appears suspicious.
The goal is simple: stop the scam before the harmful page ever opens.

How to Stay Safe

You don’t need to stop using QR codes, but it helps to treat them like unknown links. Avoid scanning codes from unexpected emails or packages. Be cautious of stickers placed over existing QR codes in public places. If a scan asks you to log in, take a moment to double-check the website address. When possible, go directly to a company’s official website instead of scanning a code.

QR codes are convenient, but scammers are counting on people trusting them too quickly. A little caution can keep a quick scan from turning into a big problem.

Below is a short video explaining “quishing” from IBM Technology.

Floating Vimeo Video