QR Phishing Statistics: 2024–2026

Last updated: March 2026 · By the susQR security team · All statistics sourced below

Quishing — phishing attacks delivered through QR codes — has become one of the fastest-growing cyber threats. This page collects sourced statistics on QR code phishing to help security teams, journalists, and researchers understand the current threat landscape.

Key statistics at a glance

Growth trajectory

QR code phishing was rare before 2023. The COVID-19 pandemic accelerated QR code adoption for contactless interactions — menus, payments, check-ins — and attackers followed.

• 2022: QR code phishing appears primarily in corporate email campaigns. FBI IC3 issues first public warning about QR code tampering.
• 2023: Check Point Research documents a 587% increase in QR-based phishing attacks compared to the prior year. Most attacks target corporate credentials via fake MFA enrollment pages.
• 2024: Industry reports indicate QR codes are used in approximately 22% of all phishing attacks, up from under 5% in 2022 (Abnormal Security, 2024). Physical QR code tampering in public spaces becomes widespread.
• 2025–2026: Quishing evolves to include multi-stage attacks: QR → redirect chain → fake login → real site redirect (to avoid suspicion). AI-generated phishing pages make fakes harder to distinguish.

Who is targeted

• Corporate employees: 67% of enterprise quishing targets Microsoft 365 and Google Workspace credentials (Cofense, 2024)
• Mobile users: 76% of quishing attacks are designed to exploit mobile devices, which have smaller URL previews and often auto-open links from QR codes
• Financial sector: Banking and payments are the most impersonated category in QR phishing, accounting for 34% of attacks
• Healthcare: Patient portal login pages are increasingly targeted, especially through QR codes in waiting rooms and appointment reminders

Attack vectors

Why QR phishing works

Several factors make QR codes an effective phishing vector:

1. No visible URL: Users can't preview the destination before scanning
2. Bypasses email security: URLs embedded in images evade traditional text-based scanners
3. Inherent trust: People associate QR codes with legitimate businesses
4. Mobile targeting: Phones show truncated URLs and have weaker phishing warnings than desktop browsers
5. Physical credibility: A QR code on a parking meter or official-looking sign appears trustworthy

Detection challenge

Traditional security tools struggle with QR-based phishing for specific technical reasons:

• Email security gateways scan text-based URLs but not URLs encoded in QR code images
• Mobile devices often lack enterprise security tools that would catch phishing on desktops
• QR codes can encode URLs that require multiple redirects, making the final destination hard to pre-screen
• Shortened URLs (bit.ly, t.co) further obscure the destination from users and security tools

Sources & references

• Check Point Research: "Quishing: QR Code Phishing" — 587% attack increase (2024)
• Abnormal Security: "QR Code Phishing Trends Report" — 22% of phishing uses QR codes (2024)
• Cofense Phishing Intelligence: Enterprise quishing targeting statistics (2024)
• FBI IC3 Public Service Announcement: "Cybercriminals Tampering with QR Codes" (2022)
• FTC Consumer Alert: "Scammers hide harmful links in QR codes" (2023)
• Statista: QR code scanning statistics in the United States (2024)

Note: Statistics are compiled from published research reports and public advisories. Individual statistics may vary by reporting methodology. Last verified March 2026.