Cybercriminals have found a new favorite disguise – and it’s hiding in plain sight.
According to a new report from Kaspersky, phishing attacks using malicious QR codes surged more than fivefold in the second half of 2025, signaling a sharp evolution in how attackers bypass traditional email security defenses and trick users into handing over credentials.
Between August and November 2025 alone, detections of phishing emails containing malicious QR codes jumped from 46,969 to 249,723, a dramatic increase that security experts warn is unlikely to slow down in 2026. The findings were published by Kaspersky on January 22, 2026 and reflect a growing trend in low-cost, high-impact social engineering tactics.
Why QR Code Phishing Is Taking Off
QR codes offer attackers a powerful advantage: they conceal malicious URLs from many traditional email scanners.
Instead of embedding a clickable link, attackers place a QR code directly inside the email body or, more commonly, within PDF attachments. Victims are encouraged to scan the code using their smartphones, devices that often lack the same level of protection as corporate laptops or desktops.
Once scanned, the QR code redirects users to phishing pages or fraudulent services, all without triggering basic URL inspection tools at the email gateway.
Security teams at Saintynet Cybersecurity note that this shift reflects a broader attacker strategy: moving away from obvious links and toward image-based and cross-device attacks that exploit gaps between email security, endpoint protection, and user behavior.
Common QR Code Phishing Scenarios Seen in 2025
Kaspersky researchers observed QR codes being used in both mass phishing campaigns and highly targeted attacks. The most common lures include:
- Fake login pages impersonating Microsoft accounts or internal corporate portals, designed to steal usernames and passwords.
- HR-themed emails, urging employees to review documents such as vacation schedules, policy updates, or even lists of terminated staff.
- Fraudulent invoices and purchase confirmations, often delivered as PDFs and paired with phone numbers for “support,” blending phishing with vishing (voice phishing).
These attacks prey on routine business workflows, making them harder for busy employees to spot, especially when scanning a QR code feels faster and more convenient than clicking a suspicious link.
The Bigger Risk for Organizations
Once credentials are stolen, attackers can move quickly, accessing cloud services, internal systems, and sensitive data. In many cases, QR code phishing is just the first step toward account takeover, data breaches, ransomware deployment, or financial fraud.
“Malicious QR codes have evolved into one of the most effective phishing tools, particularly when hidden in PDF attachments or disguised as legitimate business communications like HR updates,” said Roman Dedenok, Anti-Spam Expert at Kaspersky. “The explosive growth in November 2025 highlights how attackers are capitalising on this low-cost evasion technique to target employees on mobile devices, where protection is often minimal.”
This trend reinforces a point frequently highlighted in previous analysis: modern phishing is no longer about sloppy emails, it’s about subtle manipulation, timing, and exploiting trust.
MEA Perspective: Why This Matters in the Middle East & Africa
While QR code phishing is a global issue, organizations across the Middle East and Africa face specific exposure risks:
- Rapid adoption of mobile-first work environments
- Heavy reliance on email and PDF-based approvals
- Growing use of QR codes in payments, logistics, and government services
- Uneven deployment of advanced email and mobile security controls
For businesses and public-sector entities in the MEA region, QR-based phishing represents a convergence of digital transformation and human risk, an area where awareness and training are often underestimated.
What Security Teams Should Do Now: 10 Practical Actions
To reduce exposure to QR code phishing attacks, security leaders should act immediately:
- Update email security gateways to include image and QR code analysis.
- Block or sandbox PDF attachments containing embedded QR codes by default.
- Extend security controls to mobile devices, including MDM and mobile threat defense.
- Train employees to treat QR codes with the same suspicion as unknown links.
- Run phishing simulations that include QR code-based scenarios.
- Disable automatic QR scanning in corporate apps where possible.
- Monitor cloud identity logs for unusual login activity after phishing campaigns.
- Implement conditional access policies for mobile logins.
- Encourage manual URL checks instead of scanning codes from emails.
- Invest in cybersecurity awareness programs through platforms, focusing on modern social engineering techniques.
The Road Ahead
QR codes were designed for convenience and attackers are abusing that trust at scale.
The sharp rise in QR code phishing detected by Kaspersky is a clear warning: phishing is evolving faster than many defenses. As attackers increasingly target mobile devices and visual blind spots in security tools, organizations must rethink how they protect users, not just systems.
Cybersecurity in 2026 will depend as much on human awareness and behavior as it does on technology.
Conclusion
Kaspersky’s latest findings confirm that QR code phishing is no longer a niche tactic, it’s a mainstream attack vector with real-world consequences. With detections surging fivefold in late 2025, organizations worldwide must adapt quickly by strengthening email security, securing mobile devices, and investing in continuous cybersecurity awareness. Ignoring QR code threats today could mean dealing with account compromises and breaches tomorrow.
