QR code phishing is becoming hard to ignore as attacks grow rapidly. In the first quarter of 2026 alone, “quishing” incidents spiked by 146%, with nearly 18.7 million cases recorded in March, according to threat intelligence data.
NEW YORK CITY, NY / ACCESS Newswire / June 3, 2026 / Compared to traditional phishing, which operates on a visible layer through suspicious links and emails, QR-based attacks operate in a blind spot. The malicious destination sits in another layer until the code is scanned, allowing attackers to bypass security filters.
As QR codes are now part of the daily transactions-from restaurant menus to parking payments-this low-visibility tactic is rapidly scaling across trusted environments.
Impact is no longer conceptual, as financial consequences for businesses become evident, reportedly losing over $1 million per incident, including reputational damages to customer trust and brand credibility.
At the same time, consumer behavior is seen shifting: nearly four in 10 users now hesitate to scan QR codes due to security concerns, signaling that the threat is not only growing, but actively altering how people engage with the technology.
QR Code Adoption is Now Mainstream-But So is Abuse
QR codes have moved far beyond being a 2D barcode that works as a shortcut to digital content. They are now deeply embedded in payments, logistics, marketing, and identity systems.
According to new research from QR code generator platform QR TIGER on the physical-to-digital bridge, the 70% increase in adoption has also led to the proliferation of malicious QR code scams, with 18% of users having already fallen victim.
Many of these scams mimic common QR code use cases, playing on users’ trust. This happens mostly in parking payments, as 44% of people use QR codes to complete transactions.
Fox News reports that recently, drivers in the United States, particularly in California, Connecticut, Illinois, New Jersey, New York, North Carolina, Texas, and Virginia, have been targeted by a text scam purporting to be a traffic violation notice. It includes a fake payment QR code that prompts people to pay $6.99.
A similar case is also happening in Alabama. Police in Anniston found QR code scams circulating, posing as court notices for traffic violations, according to various news reports. The fake notices prompt people to scan the code and click the link to make an immediate payment.
The same incident was also cited in 2025. Fake QR code stickers were spotted in parking meters in Denver, Colorado. The codes led to websites imitating the city’s legitimate parking payment portal.
Quishing is not an isolated case in the West. Recently, about 150,000 accounts associated with scam centers in Southeast Asia have been disabled, on top of the 10.9 million accounts and over 159 million scam ads it removed on major social networking platforms in 2025. This is a coordinated crackdown by authorities from Thailand, Singapore, and the US.
Criminal scam centers are often based and fully operate in Cambodia, Myanmar, and Laos. They send people QR codes and trick them into scanning them, linking the scammer’s device to their account.
How Quishing Erodes Legitimate QR Ecosystems
Around 40% of users cite security concerns as the main reason they don’t scan a QR code, suggesting that 4 in 10 people skip QR codes, regardless of whether they are legitimate. Avoidance from users also grew by 53% in emails and messages, 47% in public bathrooms, and 46% on random flyers.
Business email compromise (BEC) attacks that use QR codes also victimize people by impersonating trusted individuals, such as a CEO, finance manager, or HR representative, to create a sense of urgency and gain compliance.
Information security officer at cybersecurity firm, John Shier, told The Independent that the QR codes are increasingly being used in place of traditional links within phishing emails, making malicious messages harder to detect.
Scammers embed QR codes that conceal the destination until scanned. This tactic reduces visible warning signs, allowing fraudulent emails to appear more legitimate while increasing the likelihood that users will engage with harmful content.
A report by the UK’s national fraud and cybercrime reporting center revealed that more than 2 incidents occur daily, costing about £10,000 ($13,000) a day. Between April 2024 and April 2025, the organization recorded 784 reports of quishing.
The ‘QR Code Maturity Gap’-How It Enlarges the Attack Surface
The growing adoption of QR codes has made them a target of abuse. But the problem is not the technology; rather, it lies in the complacency around security during deployment. The report describes this as the “QR Code Maturity Gap.”
Despite the high QR code adoption rate among organizations, QR use remains surface-level, risking security. Findings from the survey indicate a 43% gap in security and privacy disclosures, a 41% gap in clarity of purpose, and a 34% gap in identification or branding, affecting users’ growing hesitation to scan a QR code.
These factors create a critical failure point as users cannot reliably distinguish legitimate QR codes from fraudulent ones, making them vulnerable to scams. When this happens, businesses suffer lower engagement, reputational damage, and lost trust.
Improving Scan Confidence is a Shared Responsibility
Given that QR codes operate across multiple environments, all stakeholders are accountable for closing the maturity gap. Improving user trust in the technology is their shared responsibility.
According to the report, 48% of users cite content previews as the top factor boosting trust in QR codes, which gives them a glimpse of the information embedded in the code. Other elements building user trust are verified branding (42%) and official logos (38%), which together provide a means of identifying genuine implementations.
The findings suggest that clear branding, concise labels, and previews help users identify the source and purpose of a QR code or link, thereby strengthening brand trust and communicating legitimacy amid growing scams and cyberattacks. Additionally, businesses must adopt an advanced QR code management platform that supports branded domains, anti-phishing indicators, and secure redirection features.
“Displaying visible domains, content previews, and HTTPS-secured pages, and recognizable logos or clear branding can reassure users that the source and destination are legitimate, while confirmation prompts for payments or logins add an extra layer of security,” says Benjamin Claeys, CEO of QR TIGER.
Trust can be further reinforced through broader measures such as government regulations and public awareness campaigns, which 24% of users believe make QR codes more reliable. This signals a stronger safeguard as QR adoption expands globally.
_______________________________
Methodology: QR TIGER surveyed 1,548 respondents aged 25-44 across the US, Europe, and the Asia Pacific in December 2025. The survey used single- and multiple-choice questions and Likert-scale items to assess QR code users’ expectations and perspectives on security, value, design, and friction points.
___________________________________________________________________________________________________
About QR TIGER
QR TIGER is a leading global platform for creating dynamic QR codes that help businesses connect offline experiences to measurable online engagement. Trusted by over 850,000 brands worldwide, QR TIGER provides customizable, trackable, and secure QR code solutions designed to enhance marketing, operations, and customer engagement.
Media Contact
Edrian Ostulano
PR and Communications Manager
edrian@qrtiger.me
SOURCE: QR TIGER
View the original press release on ACCESS Newswire
Media gallery
