QR codes are getting colorful, fancy, and dangerous

QR codes have become a routine part of daily life, showing up on emails, posters, menus, invoices, and login screens. Security-savvy users have learned to treat links with caution, but QR codes still carry an assumption of safety. Researchers from Deakin University have examined how visually stylized QR codes are being used in quishing attacks.

Examples of custom-shaped QR codes

Their study introduces a detection method that evaluates QR codes based on their structure rather than the link they contain, with a focus on visually stylized designs that use colors, shapes, logos, and background images.

Design changes that weaken QR inspection

QR codes hide their destination until scanned. This design helps attackers bypass automated inspection and limits visibility for users until scanning occurs. Email gateways examine URLs in plain text. A QR code image avoids that inspection step.

Fancy QR codes further complicate detection. Their layouts no longer resemble the familiar black and white grid. Logos appear in the center. Modules become rounded, stretched, or recolored. Background images blend into the code. These design changes preserve scan success while disrupting visual and structural assumptions used by existing detection tools.

QR codes as a growing security concern

Recent industry reporting shows that 22% of reported QR code–related attacks were quishing. Attackers have also begun using LLMs to produce persuasive lure text that accompanies QR codes in emails and printed material.

QR code abuse has also triggered warnings from regulators and drawn attention from threat intelligence teams.

According to reporting by NordVPN, 73% of Americans scan QR codes without verifying the destination, and more than 26 million users have been redirected to malicious websites. In 2025, the U.S. Federal Trade Commission warned consumers that QR codes on unexpected packages should be treated as suspicious. New York City’s Department of Transportation issued a similar warning after discovering fraudulent QR codes placed on parking meters.

Threat actors have also adopted the technique. North Korean state-sponsored hackers linked to the Kimsuky group have embedded malicious QR codes in targeted spear-phishing emails. These campaigns redirect victims to fake login pages for services such as Microsoft 365, Okta, and VPN portals to harvest credentials and session tokens. Russian-linked threat actors have carried out related QR-based phishing campaigns targeting UK members of parliament and their staff.

Security researchers at Unit 42, Palo Alto Networks’ threat intelligence unit, report that QR-based attacks often rely on redirection chains and legitimate web services to evade email security controls, making detection more difficult when scanning occurs on mobile devices.

Stopping quishing before it goes anywhere

To tackle this problem, the researchers introduce ALFA, a safe-by-design approach aimed at reducing exposure to quishing attacks. Instead of allowing users to reach a potentially harmful destination after scanning, ALFA assesses a QR code at the point of scanning and flags suspicious designs before any payload is accessed.

The work also introduces FAST, a supporting method that helps correct visual distortions common in decorative QR codes, which improves the reliability of these early assessments.

The researchers validated the approach using a diverse set of fancy QR codes and demonstrated its practical relevance through a mobile application. Testing showed that the method can operate alongside existing QR readers rather than replacing them, supporting its use in everyday scanning scenarios.

Taken together, the results position ALFA as a timely response to quishing attacks that aligns with how QR codes are designed and used.