According to the latest research, scammers seem to be getting more creative, and this trend appears to be changing as QR codes gain more popularity now among scammers.

Recent research from cybersecurity company NordVPN reveals that more than 26 million people could have unknowingly been lured into malicious websites through fake QR codes. Scammers deploy these deceptive codes through a scam technique known as “brushing,” where people receive unexpected packages from unknown senders.

“QR codes have become a silent gateway for cyber‑criminals. Unlike traditional phishing emails where we’ve learned to spot red flags, a physical QR code feels inherently trustworthy,” said Marijus Briedis, chief technology officer at NordVPN. “Treat every unexpected QR code with the same suspicion you would treat a link from an unknown sender in your inbox.”

A brushing scam unfolds when an anonymous package arrives with a cryptic note encouraging the recipient to scan a QR code to verify the gift or find out where it’s coming from. The message might seem harmless, but it’s actually a trap. Cybersecurity experts at KeepNet Labs warn that QR codes now carry over 26 % of malicious links, and quishing (another name for “QR code phishing”) may soon be as prominent as email phishing.

When victims scan these QR codes, they might open phishing websites designed to steal personal information, download malware onto devices, or capture login credentials. Even more alarming, 73 % of Americans admit to scanning QR codes without verifying their legitimacy, which makes these brushing scams increasingly effective.

This relatively new attack method transforms seemingly innocent QR codes into traps set to catch people off guard, turning what appears to be a simple marketing trick into a personal data theft.

Protecting yourself from fake QR codes

Briedis shared essential tips to help people protect themselves from brushing scams and malicious QR codes:

1. Verify the source – Before you scan a QR code, make sure you know where it came from. Is it from a business you trust or someone you don’t recognize? If you’re unsure, don’t scan it. Reach out to the sender through their official contact information.

2. Preview the link – Most smartphones let you see a link to a website before you open it. Take advantage of this feature. If the link looks odd or isn’t what you expected, don’t continue.

3. Keep security software up to date – Ensure your phone’s security software is always current. Use a VPN when browsing the internet. These steps help protect you from dangerous websites and data theft, even if you accidentally open a harmful site.

4. Educate friends and family – Share these tips, especially with anyone who isn’t very comfortable with technology. Scammers often go after people who don’t know about these tricks.