QR codes have been around for three decades, but it wasn’t until the COVID-19 pandemic hit in 2020 that they got wide use, with restaurants, health care facilities, and other businesses turning to them to customers contactless ways to read menus, buy items, or track the health of people in their buildings.

Around the same time, hackers began running QR code phishing – or “quishing” – campaigns that send emails containing links to what seem to be legitimate companies but contain malicious QR codes used to steal money or credentials and other information.

Attacks leveraging QR codes have evolved quickly in the past couple of years, according to threat researchers with Check Point Software, with the latest iteration using HTML and ASCII characters to create QR codes rather than simply using an image of a code.

“It started with standard MFA authentication requests,” Jeremy Fuchs, cybersecurity researcher and analyst at Check Point, wrote in a report. “It then evolved to conditional routing and custom targeting. Now, we’re seeing another evolution, into the manipulation of QR codes.”

Enter HTML and ASCII

The fake QR codes are written in HTML using ASCII characters with the goal of bypassing OCR (optical character recognition) engines that are used to recognize text within a digital image. They’re typically used to recognize text in scanned documents and images, but they also can help cybersecurity teams inspect, identify, and classify images, which can help detect fraud, compromised credentials, and other threats.

The HTML-created QR codes, threat actors are “putting in small blocks in the HTML,” Fuchs wrote. “In the email it will look like a QR code. But to typical OCR, it doesn’t look like anything.”

Researchers with Check Points Harmony Email unit have seen more than 600 emails with these fake QR codes since late May. He wrote that there are websites bad actors can use to automatically generate these QR codes and configure them to include malicious links.

First Came Authentication Requests

Many of these new QR code phishing attacks are centered around requests for the targets to re-authenticate for accounts from legitimate companies, with one shown in the Check Point report looking like it’s coming from Microsoft about multifactor authentication. Because the QR code has ASCII characters behind it, security system may ignore it, thinking it’s a clean email.

“Attack forms all evolve,” Fuchs wrote. “QR code phishing is no different. It’s unique, though, that the evolution has happened so rapidly. It started off with standard MFA verification codes. These were pretty straight forward, asking users to scan a code, either to re-set MFA or even look at financial data like an annual 401k contribution.”

The next iteration – what Fuchs called QR Code Phishing 2.0 – involved conditional routing attacks, where the link adjusts to where the victim is interacting with it. If the target is using an Apple Mac system, one link appears. Another one will appear if the user is on a smartphone running Android.

“We also saw custom QR Code campaigns, where hackers are dynamically populating the logo of the company and the correct username,” he wrote.

This newest phase (“QR Code 3.0”) is more of a manipulation campaign, where it is using a text-based representation of a QR code rather than a traditional one.

“It also represents how threat actors are responding to the landscape,” he wrote. “Practically every email security vendor made a huge splash about new QR code protection. … Many use some form of OCR. Hackers know this and have adjusted their campaigns accordingly. It’s the never-ending cat-and-mouse game of cyber security. Hackers find something to exploit. Cyber security defenders find a solution. Hackers find something to exploit. And so on.”

Check Point’s Harmony Email and Collaboration suite has had OCRs in place since 2019, he added.

QR Code Use Takes Off

The pandemic was a turning point for QR code use. The technology was introduced in 1994 by Toyota, which used it track automobile parts in the production process, but it wasn’t until 2010 that it began to be used more widely. In 2011, 14 million mobile device users – or about 6.2% of all mobile users in the United States – scanned a QR code on their device.

Use slowly ramped up during in the following years, but began to spike as the pandemic settled in and it has continued to grow since. In 2020, 70.6 million smartphone users used a QR code scanner, according to market research firm Statista. Last year, 94.1 million smartphone users did, and that number is expected to grow to 100.2 million in 2025.

Also growing are the warnings from cybersecurity vendors and government agencies about quishing attacks. The U.S. Federal Trade Commission in December 2023 issued an alert about the proliferation of such scams, noting that some bad actors covering up the QR codes on parking meters with their own malicious codes. The agency urged people to be skeptical of a QR code seen in an unexpected place and not to scan a QR code in a text or email they weren’t expecting.

To combat the latest tactic, Check Point said security pros should implement tools that automatically decode QR codes in emails and analyze the URLs for malicious content, use security that rewrites the embedded QR code in the email body and replaces it with a safe rewritten link, and use AI that can look at multiple indicators of phishing.