Everything Tech Blog

QRIshing – The modern Phishing pole

Why You Shouldn’t Scan Every QR Code: The Hidden Dangers of Credential Harvesting

QR codes are everywhere — on restaurant menus, flyers, posters, business cards, and even public restrooms. They’re convenient and easy to use. Just point your phone, scan, and go. But that convenience comes with a serious downside: they’re also a goldmine for cybercriminals.

In this post, we’ll break down why blindly scanning QR codes is risky, how attackers use tools like Evilginx to steal your login credentials, and what you can do to stay safe.

QR Codes: A Purrrrfect Phishing Tool

QR codes themselves are just visual links — they encode URLs. But that’s the problem. Unlike regular links where you can hover over and inspect the destination, a QR code gives no visual clue about where it leads. You scan it, and your browser opens a webpage. Simple — and dangerous.

Attackers can easily:

  • Replace legitimate QR codes with malicious ones.
  • Print fake codes on posters or stickers and slap them over real ones.
  • Send QR codes in phishing emails that bypass spam filters.

The Evilginx Threat: Phishing, But Smarter

Let’s talk about Evilginx, one of the most sophisticated tools for phishing attacks.

What is Evilginx?

Evilginx is a man-in-the-middle (MITM) phishing tool that proxies real websites, like Google, Microsoft, or Facebook. When you log into what looks like a real login page, Evilginx silently intercepts:

  • Your username and password
  • Your session cookies

Those session cookies are especially dangerous. They allow attackers to bypass 2FA (two-factor authentication) and access your accounts as if they were you — without needing your password again.

How it works with QR codes:

  1. You scan a QR code.
  2. It opens a link to an Evilginx-powered phishing site.
  3. The page looks identical to a legit login portal.
  4. You log in, thinking it’s safe.
  5. The attacker now has everything they need to hijack your account.

Real-World Scenarios

  • A fake parking meter QR code leads you to a malicious payment page.
  • A QR code on a restaurant table asks you to “log in with Google to view the menu.”
  • A phishing email with a QR code pretending to be from your company’s IT department, asking you to “verify your login.”

In all these cases, a quick scan could cost you access to your email, bank, or work systems.

How to Protect Yourself

Think Before You Scan

  • Don’t scan random QR codes in public places or from sources you don’t trust., Is it a sticker, or is the code placed suspectable?
  • Inspect printed codes for signs of tampering (like stickers over original ones).
  • Avoid scanning QR codes from unsolicited emails or messages.

Check the URL

  • After scanning, look at the URL carefully before clicking “Open” in your browser.
  • Watch for typosquatting (like go0gle.com instead of google.com).
  • Avoid domains that look off or have strange subdomains.

Enable 2FA — But Use App-Based or Hardware 2FA

  • SMS-based 2FA can be intercepted or bypassed by session hijacking.
  • Use authenticator apps or security keys like YubiKey for better protection.

Use Security Tools

  • Mobile browsers or QR code scanner apps that preview links before opening them.
  • Use endpoint protection or mobile security tools that flag malicious URLs.

For Organizations

  • Educate users about the risks of QR codes.
  • Implement conditional access and device trust policies.
  • Monitor for Evilginx-style traffic patterns (proxy-based logins, suspicious user agents).

The rule of thumb: if you wouldn’t click a sketchy link, don’t scan a sketchy QR code.

Martin Byskov

, , ,