QR Phishing: The Underestimated Threat to Financial Institutions

What Is QR Phishing?

QR phishing – also known as "quishing" – is an attack method in which cybercriminals embed malicious QR codes to direct users to fraudulent websites or distribute harmful content. Unlike traditional phishing links, which are easily detected by email security filters, QR codes typically bypass these protective measures unchallenged.

The attacker embeds a QR code in an email, document, or physical object. Anyone who scans the code lands on a convincingly realistic phishing page – without any classic link filters having intervened.

Alarming Numbers: The Rise of QR Phishing

QR phishing is not a new phenomenon, but its growth rate is alarming. Security researchers report increases in QR-based phishing attacks of up to 587% within a single year. The sectors most affected: financial institutions, insurers, and critical infrastructure.

Why now? QR codes have become ubiquitous in everyday life, and users instinctively scan them without applying the same caution they would to links in emails.

Anatomy of a QR Phishing Attack

Here is how a typical attack unfolds:

• Attackers create a convincingly realistic phishing page that imitates a bank's online banking portal or app login screen
• A QR code pointing to this page is embedded in a professionally designed email
• The email is sent to customers or employees of the target institution – often with an urgency message ("Your security verification is expiring")
• The victim scans the QR code with their smartphone, which is typically not protected by corporate security solutions
• On the phishing page, login credentials, TAN codes, or other sensitive data are harvested
• The stolen data is immediately used for fraudulent transactions

Why QR Phishing Is So Dangerous

• Bypasses Email Filters – URL-based filters do not detect the malicious link because it is encoded in the QR code and appears as an image in the email.
• Shifts to an Unsecured Device – Scanning happens on personal smartphones that are typically less well-protected than corporate devices.
• Low User Suspicion – QR codes are used trustingly in daily life; awareness of QR-based risks remains low.
• Scalability – Attackers can easily scale campaigns to thousands of targets without increasing technical effort.

Case Study: Campaign Against German Bank Customers (August 2024)

In August 2024, multiple QR phishing campaigns were observed targeting customers of German financial institutions. Attackers sent emails that convincingly replicated the corporate branding of well-known banks. The embedded QR code directed victims to phishing pages operated under lookalike domains.

Many customers blamed the affected banks for the attacks – even though the institutions had done nothing technically wrong. The reputational damage was significant and illustrates the importance of proactive domain monitoring: the phishing domains had in some cases been registered weeks before the attacks began.

Countermeasures for Financial Institutions

• QR Code Scanning Filters – Specialized email security solutions can now detect QR codes in emails and analyze the embedded link for threats.
• Customer Communication – Actively communicate that the bank will never ask customers to log in via an email QR code.
• Domain Monitoring – Detect lookalike domains that serve as the foundation for QR phishing pages early, and initiate takedown measures.
• Employee Awareness – Train staff to treat QR codes in professional emails with fundamental skepticism and verify through secure channels when in doubt.

Conclusion

QR phishing is a growing threat that deliberately circumvents existing security architectures. Financial institutions that already have mature email security in place are particularly at risk from this method, as they may be lulled into a false sense of security.

The combination of technical countermeasures, proactive domain monitoring, and targeted customer communication is the most effective protection. Organizations that identify lookalike domains early can eliminate the infrastructure of QR phishing attacks before they cause damage.