QR codes becoming new trap for phishing: Planet VPN

4.2 million quishing cases in H1 2025

The black and white squares seen on the parking meters, restaurants or even received as emails appear harmless but cybersecurity experts warn that these QR codes are the new instrument of the cybercriminals, with an increasing number of ‘quishing’ attacks.

Phising attacks using QR codes have become the latest tool in the armoury of cyberthieves, says a new study by Planet VPN, a provider of virtual private networks.

In a press statement, Planet VPN says that the threat by misuse of QR codes has become so serious that in early January, the United States Federal Bureau of Investigation (FBI) issued a warning against the syndicated cybercrimes by the North Korean cybercriminals who used fake QR codes to steal sensitive information. Such attacks are on the verge of increase not just in the US but other countries as well, experts suggest. 

It says that unlike the traditional phishing, quishing tricks the users to scan the malicious QR codes instead of clicking suspicious links. These codes lead to malicious websites. Many countries have even issued warnings that these malicious codes are placed above the legitimate codes at public places like kiosks, restaurants, and parking meters. Quishing scams are also rising in the email inboxes. As per the FBI, Kimusky, a North Korea linked cybercriminal group targetted employees by embedding malicious codes in the emails and presenting it as a way to download additional information.

Last year, the United Kingdom government warned motorists last year against the QR codes on parking machines while the US Federal Trade Commission indicated a separate scam that included unexpected packages containing QR codes leading to phishing websites. 

Also Read: Global cybercrime revenues to reach USD 9.2 trillion in 2024

How does it work

Cybersecurity experts at Planet VPN suggest that the method remains similar regardless of the place where the QR code appears. Once scanned, the user is forwarded to a fake website which mimics a real one, designed to harvest the user’s credit card details.

“Quishing is phishing–just in a different wrapper. A QR code can lower people’s guard because this technology became ubiquitous only during the pandemic, and the threat still isn’t as widely recognised. It also shifts the “risky click” from a visible link to a quick scan, making the danger easier to miss. Attackers are refining these tactics every year and constantly finding new ways to trick users,” says Konstantin Levinzon, Co-Founder of Planet VPN.

The QR codes often bypass anti-phishing and scam filters as they only focus at analysing the text and links, but not the images, due to which cybercriminals favour the QR codes. Cybercriminals bypass the QR code detection by making QR codes in different colors.

Cybersecurity firm Proofpoint estimates that 4.2 million QR-code related threats were recorded in the first half of last year alone. Levinzon believes the real number is likely much higher, as many such scams go undetected.

Also Read: Cybersecurity technologies to watch out for in 2026

Cyberattacks in India

According to the Press Information Bureau (PIB) of India, the incidents of cybersecurity have seen a sharp increase, from just over 1 million cases in 2022 to 2.27 million in 2024, highlighting the expanding scope and sophistication of digital threats in the country. Alongside this surge, the financial impact has also intensified, with cyber frauds amounting to INR 3.65 billion reported on the National Cyber Crime Reporting Portal (NCRP) as of February 28, 2025.

To counter the rising threat due to quishing, experts advise users to be mindful while scanning QR codes. A major red signal is being asked to enter payment or login details immediately after scanning. Similarly, QR codes sent via unsolicited emails should always be treated with suspicion. Levinzon advises to contact the sender directly before entering login data or downloading files. 

“We recommend applying the same logic everywhere: stay skeptical whether you receive a message from a coworker or on your personal social media account. However, vigilance is only part of the story. To maximise security, users also need basic safeguards, use a VPN on public Wi-Fi, install updates promptly, use strong passwords, and enable multi-factor authentication on all accounts,” adds Levinzon.