Cyber security warning: Firms cautioned against malicious ‘QR codes’

ISLAMABAD: A global cyber security company Monday cautioned Pakistani companies that malicious “QR codes” have evolved into one of the most effective phishing tools, resulting in data breaches, financial frauds and account takeovers/credential theft.

According to a new report of the cyber security company issued on Monday, Kaspersky reported a spike in phishing emails containing malicious QR codes. Detections for these jumped from 46,969 in August to 249,723 in November – a more than fivefold growth – as cyber criminals increasingly exploit QR codes.

Attackers use QR codes in emails more frequently because they provide a simple and cost-effective way to conceal malicious URLs, evading detection by many protective solutions.These QR codes are often embedded directly in email bodies or, even more commonly, within PDF attachments – an evolution that both masks phishing links and encourages users to scan them on mobile phones, which may have weaker security than work PCs.

Malicious QR codes commonly appear in mass phishing campaigns as well as targeted ones. Links embedded within them may lead to phishing forms impersonating login pages for services like Microsoft accounts or internal corporate portals, designed to steal usernames, passwords, and other credentials. Fake HR notifications urging employees to review or sign documents, such as vacation schedules, or even view lists of terminated staff, ultimately directing to credential-stealing sites. Fraudulent invoices or purchase confirmations in PDF attachments, often combined with vishing (voice phishing) tactics that prompt victims to call provided phone numbers to ‘cancel’ or clarify the transaction, enabling further social engineering attacks.

These tactics exploit trust in routine business communications, leading to credential theft, account takeovers, data breaches, and financial fraud, the report added.

Copyright Business Recorder, 2026