A surge in quishing scams the cybercrime technique that uses fake QR codes to prey on unsuspecting people, is quickly reshaping the threat landscape in the United States. As detailed in a recent report from Keepnet Labs, over 26 million Americans have landed on malicious websites in the past year after scanning counterfeit QR codes, a number drawing the attention of regulators and cybersecurity experts alike. Scammers are embedding these deceptive codes in public spaces, emails, and even packages, making it too easy for nearly anyone to stumble into their traps without a clue until it is too late.
So, how did quishing get such a strong foothold? Much of it comes down to convenience meeting complacency. QR codes have become part of daily life, from restaurant menus to parking meters and parcel tracking. Their visual simplicity and mobile-first design appeal to users who have come to trust that scanning a random code is generally safe. That trust is exactly what criminals are counting on, and this year, the tactics have grown alarmingly sophisticated.
Attackers start by placing their fake codes in high-traffic locations. Imagine heading to pay for parking, only to have your phone redirected to a site that copies the look of your bank. Or getting a package in the mail, scanning an included code to track it, and ending up on a page that harvests your personal information. These QR code phishing attacks aim to grab sensitive details like login credentials, banking information, or prompt you to download malware. Sometimes the losses are relatively small, just a few dollars for a bogus subscription. But for others, especially those who share bank details, the consequences can be far more severe.
Regulators are catching on. The Federal Trade Commission has issued formal warnings, alerting the public that QR codes are not quite as innocent as they seem. The Commission has described how scammers are using QR codes to hide links to phishing sites, malicious downloads, or fake login pages. Many victims do not realize they have been duped until they spot unauthorized transactions or have their accounts locked down. This guidance comes as organized crime groups are increasingly implicated in the growth of quishing scams, which are believed to be significantly underreported by victims.
The data tells a clear story. Quishing attacks surged over the last two years, with nearly 2% of all scanned QR codes now classified as malicious. Security researchers observed spikes in QR code phishing incidents, with more than 8,000 cases reported during a three-month period last year alone. Despite these alarming figures, only about a third of the scams are accurately identified and reported by those affected. That leaves the vast majority of attacks flying under the radar, letting cybercriminals improve their tactics and continue targeting new victims.
Certain industries have become prime targets. Sectors such as energy, manufacturing, technology, and financial services are viewed as especially lucrative or vulnerable. In fact, research indicates the energy sector receives nearly a third of all quishing-related phishing emails. This trend highlights how criminal groups are focusing their efforts where the payoff might be highest, sometimes bypassing individual consumers in favor of big institutions, but often snaring both along the way.
The rise of AI has added fuel to the fire. Cybercriminals are using artificial intelligence to automate and personalize phishing campaigns, generating fake websites and emails that are tough to spot even for savvy internet users. These AI-powered attacks are contributing to the sense that nobody is entirely safe, regardless of how mindful they are.
People can take steps to reduce their risk, such as verifying the source of any QR codes before scanning, being suspicious of unsolicited codes in emails or on packages, and watching for warning signs like odd web addresses or requests for personal data. The ongoing advice from consumer protection agencies is simple, but bears repeating: if something feels off, trust your gut and do not hand over your information.
As QR codes become even more embedded in everyday transactions, Americans should expect quishing scams to continue evolving. The convenience is undeniable, but as millions have already learned, convenience without caution can be costly.
