QR code-based phishing has become one of the fastest-growing threats in email security in 2025. According to recent analyses by Kaspersky, the number of malicious QR codes in emails increased massively in the second half of 2025. Between August and November, 46,969 to 249,723 malicious QR codes were identified. Within just four months, this represents an increase of more than fivefold. The strongest growth was observed in November, which indicates a targeted intensification of such campaigns.

From a technical point of view, QR codes are particularly well suited for phishing attacks because they can conceal malicious URLs and bypass classic security mechanisms. While many email gateways analyse text-based links, QR codes often escape this scrutiny. Attackers embed the codes either directly in the message text or – increasingly – in PDF attachments disguised as business documents. The aim of this method is to persuade recipients to scan the code with a smartphone. Mobile devices in the corporate environment often have fewer protective mechanisms than work computers, making it easier for attackers to obtain access data, internal information or financial data.

In terms of content, QR code phishing campaigns follow recurring patterns. Fake login pages for Microsoft accounts or internal company portals are particularly frequently used to capture user names and passwords. Alleged communications from the HR department, for example regarding new holiday regulations, internal lists or supposed restructuring, are also common. Another variant observed combines QR code phishing with telephone fraud attempts: after scanning the code, victims are directed to a page that prompts them to make contact by telephone. In these cases, social engineering is used specifically to increase credibility and obtain sensitive information.

According to Kaspersky, this attack technique became particularly established in 2025, as it can be implemented with little effort and promises a high success rate. Embedding malicious QR codes in PDF documents that are visually adapted to regular business communications increases the likelihood that employees will not question the content. Without additional technical protective measures and user awareness, the risk of data theft, account takeovers and the resulting financial and operational damage increases significantly.

To reduce the risk, Kaspersky recommends several basic protective measures. These include critically examining emails and attachments and verifying sender details before opening them. Before entering personal or financial information, the destination address should be carefully checked, especially for discrepancies or inconsistencies. In the event of compromised access data, affected passwords should be changed immediately and not reused for multiple services. In addition, enabling multi-factor authentication for all available accounts is recommended. At the organisational level, companies should implement comprehensive security solutions that can detect and block both known and new threats.

Source

Kaspersky: Analysis of QR code-based phishing in email traffic, second half of 2025