October 20, 2025, 3:27 pm | Read time: 2 minutes

According to “Barracuda,” such attacks are particularly dangerous because they are hard to detect. The QR codes usually appear completely normal and can show up in emails, on posters, or on websites. Users should therefore remain vigilant and only scan QR codes when the source is clearly trustworthy.

Also of interest: Scan a QR Code From Your Own Screen Without a Second Device

How Fraudsters Manipulate QR Codes

A common method involves cutting a QR code into two separate parts and then placing the halves side by side—for example, in an email or on a fake website. On their own, both images look harmless, but when combined, they lead to a malicious site when scanned. Security programs usually do not recognize the individual parts as a threat because they are not functional in isolation.

Also common are nested QR codes, where multiple codes are layered on top of each other. Depending on the scanning distance, a different code is read—from afar, possibly a harmless one, but up close, a dangerous one that leads to malware or phishing sites.

Tips for Safely Handling QR Codes

The police advisory service warns against this so-called “quishing,” which means QR code phishing. To protect yourself, you should only use QR codes in understandable situations. In emails or messages, they are generally suspicious, as a regular link is often safer and more transparent. QR codes in public places should also be treated with caution, as they can be easily covered or replaced.

Additionally, a security app on your smartphone is recommended to automatically block suspicious websites. Users should also always check if the displayed URL is plausible before entering personal data or downloading something. A healthy dose of skepticism can prevent significant harm.