Tricked by the Square: Investigating the Rise and Reach of Quishing Attacks

Abstract

Quick Response (QR) codes have become ubiquitous in modern digital interactions, facilitating seamless transactions, authentication, and information sharing. However, their widespread adoption has introduced a new cybersecurity threat - Quishing (QR Code Phishing) where attackers exploit QR codes to deceive users into scanning malicious payloads or visiting fraudulent websites. Unlike traditional phishing, Quishing bypasses conventional defences by leveraging the inherent opacity of QR codes, automated scanning behaviours, and weak API security in QR-driven workflows. This paper investigates the technical and psychological mechanisms behind Quishing, analysing attack vectors such as URL obfuscation, session hijacking, and physical QR tampering in public spaces. Additionally, it evaluates human vulnerabilities, including environmental trust bias and habitual scanning tendencies, which contribute to high victimization rates. To counter these threats, we propose a multi-layered defence framework incorporating cryptographic QR authentication, API security hardening, intelligent scanning platforms, and user awareness initiatives. Emerging technologies like blockchain verification, AI-driven anomaly detection, and federated threat intelligence are also explored as future-proof solutions. Our findings highlight the urgent need for standardized security protocols, behavioural interventions, and adaptive defences to mitigate Quishing risks in an increasingly QR-dependent digital ecosystem.

Introduction

QR codes, initially developed for tracking automobile parts, have become widely used in mobile payments, event tickets, authentication, and menus, especially accelerated by the COVID-19 pandemic's demand for contactless interactions. However, their visual simplicity and unreadability without a scanner have opened a new phishing vector called Quishing. This attack exploits users' inability to verify QR content before scanning, allowing attackers to embed malicious URLs, payloads, or session tokens.

Key technical issues enabling Quishing include:

1. URL Obfuscation – QR codes hide the actual URL, often using redirects or shortened links that evade detection.

2. Security Bypass – QR interactions typically occur outside secure browser or email contexts, weakening defenses.

3. API Exploitation – Many QR-based systems rely on poorly secured APIs without proper validation or authentication.

Quishing attacks leverage users’ trust and lack of verification habits—71% of users cannot distinguish between legitimate and malicious QR codes. Malicious QR codes can be placed in public spaces or used to hijack QR login sessions (e.g., WhatsApp Web), allowing attackers to steal session tokens without needing usernames or passwords.

The technical foundation includes the QR code’s data encoding and error correction mechanisms, which attackers exploit to embed harmful content while maintaining a seemingly valid code. The lack of source validation and automatic execution of embedded actions further exacerbate risks.

Attack techniques include multi-stage payload delivery tailored to the victim’s device, use of URL redirect chains to hide malicious sites, and exploitation of backend APIs triggered by QR scans—often lacking input sanitization and authentication. This makes QR code-driven systems vulnerable to session hijacking, unauthorized actions, and data theft.

The paper calls for a multi-layered defense strategy combining cryptographic QR signing, user education, and hardened API security to combat the rising threat of Quishing, which has surged by over 200% in recent months.

Conclusion

The growing adoption of QR codes as a payment, authentication, and frictionless digital transaction mechanism has generated a corresponding, multifaceted cybersecurity risk - Quishing, or QR code phishing. This research explored the technical dynamics, human vulnerabilities, and evolving defense strategies in this threat. Our findings indicate that Quishing attacks persist not just due to structural vulnerabilities in QR codes and insecure API protection, but also because of user behaviour prioritizing convenience and speed over safe interaction. Attackers utilize techniques such as URL obfuscation, redirect chains, and automated payload injection, usually facilitated by tools like QRLJacker to avoid conventional detection and hijack sessions with low friction. Beyond the technical plane, user behaviour remains the fundamental vulnerability. Cognitive shortcuts such as relying on familiar context and habituated scanning without validation account significantly to exposure. Surprisingly, fewer than 12% of users ever inspect a QR code destination before scanning, testifying to a widespread lack of awareness and security awareness. Bridging this human factor is of equal importance with debugging technical issues. Promising mitigation technologies include cryptographically signed QR codes, hardened API infrastructure, and intelligent scanning tools that leverage real-time threat intelligence. In addition, emerging technologies like blockchain-based verification, federated threat-sharing systems, and AI-powered anomaly detection are setting the stage for more adaptive and resilient defenses. Despite these advances, the attack surface continues to evolve. In the future, science will have to prioritize the development of normalized QR protocols, e.g., digitally signed and post-quantum secure codes, for authenticating at point of contact. Behavioural intervention, e.g., training programs and habit-based training, must be imparted at scale as well. Further, integrating context-aware layers of security with diminishing levels of biometric verifications, spatial computing and decentralized digital identities can add preemptive defence. For future studies, it is important to investigate how blockchain-based solutions for QR verification can be scaled across industries, and to test the effectiveness of AI-powered behavioural monitoring for real-time detection of dangerous scanning patterns. International standards for security in QR rollouts across consumer and enterprise networks will be paramount. Long-term research into the long-term effectiveness of education initiatives might also provide useful insight into lasting behaviour modification. As the use of QR codes continues to be more integrated into daily life, an interagency, multi-layered defence through technological innovation, successful governance, and user engagement will be vital to countering threats from Quishing and protecting the digital landscape from this fast-emerging social engineering threat.

References

[1] W. Zhang, R. Gupta, and K. Lee, \"QR Code-based Phishing: A Survey and Classification,\" in Security and Privacy in Communication Networks. SecureComm 2023, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 412, pp. 45–58, 2023. [2] Cybersecurity and Infrastructure Security Agency (CISA), \"Alert AA24-158A: Malicious QR Code Campaigns,\" [Online]. Available: https://www.cisa.gov/news-events/alerts/2024/aa24-158a. [Accessed: Apr. 2025]. [3] National Institute of Standards and Technology (NIST), \"Guidelines for Secure QR Code Implementation,\" NIST SP 800-189, [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-189/draft. [Accessed: Apr. 2025]. [4] M. De Souza, \"QRLJacker: Hijacking QR Code Login Sessions,\" Black Hat Europe Briefings, [Online]. Available: https://github.com/OWASP/QRLJacker. [Accessed: Apr. 2025]. [5] OWASP Foundation, \"OWASP API Security Top 10,\" [Online]. Available: https://owasp.org/www-project-api-security/. [Accessed: Apr. 2025]. [6] IRONSCALES, \"How Multi-Modal Protection Stops QR Code Phishing,\" IRONSCALES Security Blog, Nov. 8, 2023. [Online]. Available: https://ironscales.com/blog/how-multi-modal-protection-stops-qr-code-phishing. [Accessed: Apr. 2025]. [7] Ivanti, \"Research Finds 83% of Respondents Used a QR Code to Process a Payment in the Last Year, but Many Are Unaware of the Hidden Dangers,\" Business Wire, 2021. [Online]. Available: https://www.businesswire.com/news/home/20210420005358/en/. [Accessed: Apr. 2025]. [8] K. Krombholz, H. Hobel, M. Huber, and E. R. Weippl, \"Advanced Social Engineering Attacks,\" J. Inf. Secur. Appl., vol. 22, pp. 113–122, 2015. [9] R. Sharma, A. Singh, and S. Das, \"Evaluating the Post-Pandemic Surge of QR Code Attacks: Risks and Countermeasures,\" J. Cybersecurity Digit. Trust, vol. 5, no. 2, pp. 45–59, 2022. [10] J. Xu, J. Tan, and W. Li, \"QR Code in the Era of Contactless Services: Security Implications and Threat Modeling,\" IEEE Trans. Dependable Secure Comput., Early Access, pp. 1–12, 2021. [11] Patel and A. Verma, \"Obfuscation Techniques in QR Code Phishing Attacks,\" in Proc. 2022 Int. Conf. Inf. Syst. Secur. Privacy, pp. 130–138, 2022. [12] A. Alzahrani, F. K. Hussain, and O. K. Hussain, \"Exploiting QR Code Authentication via QRLJacker: Threat Modeling and Mitigation,\" Future Internet, vol. 13, no. 8, p. 214, 2021. [13] N. Aggarwal and M. Kaur, \"Cross-Platform Threat Vectors via QR Codes: A Review,\" in Proc. 2021 Int. Conf. Cybersecurity Incident Response (ICCIR), pp. 55–60, IEEE, 2021. [14] S. Miller, \"Obfuscation Tactics in Modern Phishing Attacks,\" in Proc. Springer LNCS, vol. 12433, pp. 88–99, 2021. [15] T. Zhang and M. Roos, \"Exploiting Open Redirects for Advanced Persistent Phishing,\" in Proc. Springer LNCS, vol. 12219, pp. 213–226, 2020. [16] N. S. Kaur et al., \"QR Code Phishing in the Wild: An Empirical Study,\" in Proc. Springer LNCS, vol. 12345, pp. 301–317, 2022. [17] A. Nair, \"Advanced Redirection Evasion Techniques in Mobile Phishing,\" in Proc. Springer LNCS, vol. 12789, pp. 110–125, 2021. [18] R. Basu et al., \"Device-Specific Payload Delivery in Mobile Threats,\" in Proc. Springer LNCS, vol. 11912, pp. 190–202, 2020. [19] M. Ghosh and V. Iyer, \"Social Engineering in Mobile Malware Propagation,\" in Proc. Springer LNCS, vol. 12578, pp. 140–152, 2021. [20] L. McIntyre, \"iOS Exploitation via Configuration Profiles,\" in Proc. Springer LNCS, vol. 12600, pp. 85–98, 2021. [21] A. Tripathi et al., \"Targeted Mobile Attacks Using MDM Exploitation,\" in Proc. Springer LNCS, vol. 12930, pp. 207–218, 2022. [22] S. Narayan, \"UI-Based Fingerprinting for Contextual Phishing,\" in Proc. Springer LNCS, vol. 12899, pp. 59–72, 2021. [23] CERT-IN, \"Advisory on QR Code-Based Malware Campaigns in India,\" Govt. of India, Public Disclosure Bulletin No. QR-2022-11, pp. 1–5. [24] P. Rajesh et al., \"API Vulnerabilities in QR-Based Authentication Systems,\" in Proc. Springer LNCS, vol. 12988, pp. 205–220, 2022. [25] N. Hirani and L. Chang, \"Cross-Domain Exploitation of QR Login APIs,\" in Proc. Springer LNCS, vol. 13014, pp. 178–193, 2023. [26] Z. Chen et al., \"Forging the Scan: Replicating QR Code Workflows via Unauthenticated APIs,\" J. Cyber Exploit. Res., vol. 5, no. 2, pp. 56–74, 2022. [27] A. Mehta et al., \"Reverse Engineering Android Apps for API Schema Extraction: A QR Workflow Perspective,\" in Proc. Int. Conf. Mobile Security (MobSec), 2022. [28] L. Nguyen et al., \"Web3 Wallet Phishing via QR Interfaces in Contactless Environments,\" in Proc. Springer LNCS, vol. 13155, pp. 92–106, 2024. [29] V. Kapadia and A. Shah, \"Android Malware Propagation through Job-Themed QR Attacks in Transit Networks,\" J. Mobile Threat Intell., vol. 6, no. 1, pp. 44–59, 2024. [30] J. Fernandez et al., \"Physical Layer Tampering in QR Code Attacks: An Emerging Urban Threat,\" in Proc. Springer LNCS, vol. 13122, pp. 183–197, 2024. [31] Y. Saito and R. Nakamura, \"NFC-Triggered QR Attacks and Device Fingerprinting in Hybrid Threat Models,\" IEEE Internet Things J., vol. 11, no. 2, pp. 2341–2355, 2024. [32] K. Datta and S. Oh, \"Distributed Threat Intelligence for Secure QR Ecosystems,\" in Proc. Springer LNCS, vol. 13330, pp. 112–126, 2025. [33] S. Kim and L. Zhao, \"Federated Learning for Secure QR Analytics,\" in Proc. Springer LNCS, vol. 13378, pp. 120–133, 2025. [34] Abnormal Security, \"QR Code Phishing Detection through Behavioural Contextualization,\" Technical Whitepaper, 2024. [35] M. Khan and P. Desai, \"Blockchain for Trustworthy QR Code Authentication in Logistics and Healthcare,\" in Proc. Springer LNCS, vol. 13421, pp. 67–81, 2025. [36] J. Park et al., \"Federated Threat Intelligence for Distributed QR Code Attack Detection,\" in Proc. Int. Conf. Trust Privacy Comput. Commun., Springer LNCS, vol. 13450, pp. 99–113, 2025. [37] A. Shinde and V. Rajput, \"TEEs in Mobile Security: Mitigating QR-based Session Hijacking,\" J. Secure Comput., vol. 17, no. 1, pp. 44–58, 2025. [38] H. Yamamoto and T. Kimura, \"Differential Privacy for QR Analytics: Safeguarding User Metadata,\" IEEE Trans. Privacy Technol., vol. 14, no. 2, pp. 123–137, 2025. [39] S. Patel and R. Kumar, “Advancements in Multimodal Biometric Systems for Secure Authentication,” IEEE Trans. Biometrics, Behavior, and Identity Science, vol. 7, no. 1, pp. 15–28, 2025. [40] H. Becker and J. Lin, “Zero-Trust Authentication Models for Mobile Ecosystems,” J. Secure Mobile Networks, vol. 9, no. 2, pp. 98–113, 2025. [41] A. Vasquez, Y. Lee, and P. Narang, “Context-Aware QR Code Security using Behavioral Risk Analytics,” Proc. Int. Conf. Mobile Cyber Intelligence, Springer LNCS, vol. 13467, pp. 112–124, 2025. [42] L. Chen and M. Nguyen, “Augmented Reality Overlays for QR Code Security Enhancement,” J. Cybersecurity Technology, vol. 12, no. 3, pp. 199–214, 2025. [43] T. Delgado et al., “Differentiating Real vs Malicious QR Codes in Public Spaces Using Geospatial Trust Anchors,” Proc. Springer LNCS, vol. 13489, pp. 133–145, 2025. [44] T. Anderson et al., “Integrating Global Threat Intelligence with Edge AI for Real-Time QR Code Threat Detection,” IEEE Internet of Things Journal, vol. 9, no. 5, pp. 3550–3562, 2025. [45] K. Zhao and H. Tanaka, “Post-Quantum Cryptography for QR Code Security: Implementing Lattice-Based Signatures,” Quantum Computing and Cryptography, vol. 5, no. 1, pp. 88–102, 2025. [46] Brooks and N. Fedorov, “Decentralized Identity for Web3 QR Protocols: A Post-Quantum Future,” J. Web Authentication & Blockchain Systems, vol. 3, no. 2, pp. 56–71, 2025.

Copyright

Copyright © 2025 Swaraj Tandel, Jiya Chordiya, Pratidnya S. Hegde Patil. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.