Kaspersky detected QR code phishing attacks increase more than fivefold from 46,969 in August to 249,723 in November 2025, as cybercriminals exploit scannable codes to bypass traditional URL detection systems and traditional email security measures. Attackers embed malicious QR codes directly in email bodies or more commonly within PDF attachments, directing users to phishing sites through mobile scans where security protections often prove weaker than desktop environments. This tactical evolution targets both mass phishing campaigns and precise operations mimicking legitimate business communications like HR notifications and vendor invoices.
Attack Delivery Masks Malicious Destinations Effectively
QR codes effectively conceal links leading to fake Microsoft login pages, corporate portals, and sophisticated credential harvesting forms that evade standard email gateway filters lacking advanced image analysis capabilities.
PDF attachments frequently disguise these codes as routine HR notifications for vacation schedules, employee termination lists, or urgent document approvals, naturally prompting employees to scan on their personal or unsecured mobile devices. Fraudulent invoices often pair QR codes with coordinated vishing calls, urging victims to contact provided numbers for supposed transaction clarification or cancellation, creating multi-channel social engineering traps.
Phishing Tactics Exploit Routine Business Trust
Mass phishing campaigns deliver generic HR lures and invoice deceptions at scale, while targeted attacks impersonate internal systems to capture high-value executive credentials, session tokens, and multi-factor authentication codes. Routine business communications gain enhanced credibility through familiar visual QR elements integrated into legitimate-looking documents, ultimately leading to full account takeovers, lateral movement, and sensitive data exfiltration without triggering traditional perimeter alerts or antivirus signatures. Mobile scanning habits during hybrid work transitions amplify overall success rates as employees instinctively shift between desktop email verification and phone-based action workflows.
Detection Growth Signals Attacker Tactical Maturity
November’s explosive detection volume demonstrates attackers’ rapid refinement of these low-cost, high-impact evasion techniques that seamlessly combine visual deception with precise social engineering execution. Most enterprise email gateways remain vulnerable without dedicated QR code scanning, safe-link preview functionality, or behavioral analytics capable of flagging anomalous image interactions across diverse workforces.
Organizations processing high-volume vendor communications, HR workflows, and financial documents face particularly elevated exposure to these sophisticated image-based phishing vectors that exploit universal QR code familiarity.
