Kaspersky has reported a sharp rise in phishing emails containing malicious QR codes, with detections climbing from 46,969 in August to 249,723 in November 2025. The more than fivefold increase highlights how cybercriminals are exploiting QR codes as a low-cost way to conceal malicious links and bypass traditional security filters.
The company noted that attackers are embedding QR codes directly into email bodies or, more often, within PDF attachments. This tactic masks phishing URLs and encourages recipients to scan them on mobile devices, which typically have weaker protections than workplace computers.
According to Kaspersky, malicious QR codes are being used in both mass and targeted phishing campaigns. Links hidden within them often lead to fake login pages impersonating Microsoft accounts or corporate portals, designed to steal usernames, passwords, and other credentials. Some campaigns disguise themselves as HR notifications, such as vacation schedules or staff updates, while others use fraudulent invoices or purchase confirmations. In certain cases, attackers combine these with voice phishing calls, urging victims to dial phone numbers to “cancel” or verify transactions, enabling further social engineering.
These methods exploit trust in routine business communications, leading to risks of credential theft, account takeovers, data breaches, and financial fraud. Roman Dedenok, Anti-Spam Expert at Kaspersky, said malicious QR codes have become one of the most effective phishing tools of the year, particularly when hidden in PDF attachments or disguised as legitimate updates. He warned that without advanced image analysis at email gateways and safe scanning practices, organizations remain vulnerable to credential compromise and downstream breaches.
To counter the threat, Kaspersky recommends deploying mail server security solutions capable of detecting spam, phishing, business email compromise, and QR code-based attacks, alongside broader measures to secure corporate email exchanges.
