Cybercriminals weaponize QR codes in massive 2025 surge

In the ever-evolving cat-and-mouse game of cybersecurity, attackers have dusted off a familiar technology to launch a sophisticated new wave of assaults. A recent report by Kaspersky has illuminated a troubling trend that defined the threat landscape in the latter half of 2025: a dramatic, fivefold escalation in phishing attacks utilizing QR codes. This specific vector, often referred to as "quishing," has rapidly transformed from a sporadic nuisance into a primary tool for digital infiltration, bypassing traditional defense mechanisms and targeting the weakest link in corporate security chains—the mobile device.

The data presented by Kaspersky paints a stark picture of this accelerating threat. Between August and November 2025 alone, the detection of malicious emails containing QR codes skyrocketed. In August, security systems flagged approximately 46,969 such incidents. By November, that figure had ballooned to an alarming 249,723. This exponential growth curve suggests that cybercriminal syndicates have moved beyond testing phases and are now deploying this tactic at an industrial scale. The strategy is clear: overwhelm users with a volume of attacks that exploit the ubiquity and inherent trust associated with QR codes in modern business environments.

What makes this surge particularly dangerous is the tactical shift in how these codes are delivered. Rather than simply including a code in the body of a plain text email, which might trigger basic spam filters, attackers are increasingly embedding them within PDF attachments. This method serves a dual purpose. First, it effectively cloaks the malicious URL from many conventional email security scanners that primarily analyze text-based content. Second, it adds a layer of perceived legitimacy. A PDF attachment often mimics formal business documentation, such as an invoice, a contract, or an internal memo, which naturally prompts the recipient to engage with the file.

The ultimate goal of these campaigns is to migrate the attack from a well-protected corporate desktop environment to the user's personal or company-issued smartphone. When a user encounters a QR code on their computer screen, the natural reflex is to scan it with their phone. In doing so, they inadvertently bypass the robust firewalls, anti-phishing plugins, and safe browsing protocols that protect their workstation. Mobile devices, often lacking comparable enterprise-grade security software, become an open door for attackers to harvest credentials or install malware.

Roman Dedenok, an Anti-Spam Expert at Kaspersky, highlights that this evolution has made QR codes one of the most effective phishing tools of the year. The low cost of generating these codes, combined with their high success rate in evasion, has made them a favorite among threat actors. The campaigns are not limited to generic spam; they are becoming increasingly targeted. Common scenarios observed in late 2025 involved sophisticated impersonations of internal Human Resources departments. Employees would receive "urgent" notifications regarding policy changes, leave allocations, or even termination lists, all requiring a quick scan to access the documents.

Another prevalent tactic involves financial deception. Attackers distribute fraudulent invoices or purchase confirmations embedded with these malicious codes. In some particularly aggressive variations, these digital attacks are paired with "vishing" or voice phishing. The document might instruct the victim to scan a code or call a support number to resolve a billing discrepancy, trapping them in a high-pressure social engineering scenario designed to extract banking details or login credentials for critical services like Microsoft 365.

The implications for organizational security are profound. The rise of quishing exposes a significant blind spot in current defense strategies. As long as security training focuses solely on identifying suspicious links or attachments, employees will remain vulnerable to attacks that occur off-screen, on their handheld devices. The psychological element is also critical; the physical act of scanning a code feels distinct from clicking a link, often bypassing the internal "suspicion check" that users have developed over years of anti-phishing training.

To combat this rising tide, experts advise a multi-layered approach. Technical solutions must evolve to include advanced image recognition capabilities at the mail server level, capable of analyzing QR codes within attachments before they reach the user's inbox. However, technology alone is insufficient. Organizations must fundamentally update their cybersecurity awareness programs to treat QR codes with the same level of scrutiny as executable files or unknown URLs. In the face of this fivefold increase, the message for 2026 is clear: if you cannot verify the source, do not scan the code.