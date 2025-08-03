When QR codes first hit the scene, they were a niche tool, employed by factories to track inventory or by museums to offer visitors unique interactive experiences. The pandemic made them more ubiquitous, and they can now be found everywhere from air travel to parking payments.

QR codes make our lives easier in a number of ways, but unfortunately, they also seem poised to make it a lot harder. As their popularity has risen, scammers have started to eye them as their next target for exploitation.

"As with many technological advances that start with good intentions, QR codes have increasingly become targets for malicious use. Because they are everywhere — from gas pumps and yard signs to television commercials — they're simultaneously useful and dangerous," BlueVoyant Senior Director of Proactive Cybersecurity Services Dustin Brewer told CNBC.

Brewer told the network that hackers are using the codes to trick unsuspecting people into visiting malicious websites or giving away sensitive personal information. This type of scam is called "quishing."

Quishing appeals to scammers because of how easy it is to execute. There are plenty of free QR code generators online, and all it takes is slapping one on a sticker at a parking meter or slipping a pre-printed letter into your mailbox to get things going.

"The crooks are relying on you being in a hurry and you needing to do something," University of Rochester electrical and computer engineering professor Gaurav Sharma told CNBC.

As safeguards have been put into place to crack down on the number of traditional phishing e-mails going around, and as consumers wisen up to old-school text and phone scams, crooks have had to get creative with their tactics.

And get creative, they are. NordVPN told CNBC that 73% of Americans scan QR codes without verifying their authenticity. This has led to upwards of 26 million people being directed to malicious sites.

Part of the reason quishing scams are so successful is that we aren't yet well-versed in how to recognize them. A report published by the cybersecurity platform KeepNet found that only 36% of quishing scams have been accurately identified and reported.

"The cat and mouse game of security will continue and that people will figure out solutions and the crooks will either figure out a way around or look at other places where the grass is greener," Sharma told CNBC.

Companies are working to fortify QR codes against intrusion, and to educate the public on how to spot potential scams that use the codes, but say there's still a long way to go.

"QR codes weren't built with security in mind, they were built to make life easier, which also makes them perfect for scammers," Rob Lee, chief of research and chief of AI at SANS Institute, told CNBC. "We've seen this playbook before with phishing emails; now it just comes with a smiley pixelated square. It's not panic-worthy yet, but it's exactly the kind of low-effort, high-return tactic attackers love to scale."

