26M+ Scammed By Fake QR Codes: NordVPN

The ubiquity of QR codes in retail, hospitality and contact‑less payments has turned a convenient tool into a new phishing vector. NordVPN’s latest study shows that more than 26 million individuals may have inadvertently visited malicious sites after scanning counterfeit codes, a figure that represents roughly a quarter of all malicious links observed in 2025. Unlike traditional email phishing, QR‑phishing exploits the physical world, leveraging the trust users place in printed symbols and bypassing many of the visual cues that warn of digital scams.

At the heart of this surge is the “brushing” scam, where unsuspecting recipients receive unsolicited packages containing a note and a QR code purportedly linked to a gift or shipment status. When scanned, the code redirects victims to phishing pages that harvest credentials or drop malware onto smartphones. The tactic’s effectiveness is amplified by a staggering 73 % of Americans who admit to scanning QR codes without verification, mirroring the early days of email phishing when users were less skeptical of unknown links. As QR‑phishing, also dubbed “quishing,” gains parity with email attacks, security teams must broaden threat models to include physical‑digital hybrid vectors.

Mitigation hinges on user education and layered security controls. Experts recommend confirming the source of any QR code, using smartphone features that preview URLs before opening, and keeping mobile security software current. Deploying VPNs adds an extra shield by encrypting traffic and blocking known malicious domains. Enterprises should incorporate QR‑code hygiene into employee training and consider digital watermarking or dynamic QR solutions that can be invalidated if compromised. As QR codes continue to proliferate in contactless ecosystems, proactive defenses will be essential to curb the next wave of credential theft and data breaches.