QR code phishing surges in Q1

QR code phishing scams surged 146% in the first quarter of 2026
Microsoft reports 18.7 million malicious QR code attacks in March
Users face risks from fraudulent links and fake CAPTCHA tests

Summarized by AI ⓘ

What is the story about?

Cybercriminals are increasingly turning to QR codes to trick users into falling for phishing scams. Microsoft's Q1 report highlights this 'fastest-growing' attack vector, alongside other clever deception methods.

QR Code Phishing Surge

The landscape of email-based cyber threats saw a significant shift in the first quarter of 2026, with QR code phishing emerging as the most rapidly escalating

attack method. Microsoft's Threat Intelligence and Defender Security Research teams identified a staggering 8.3 billion email-based phishing threats during this period. What was particularly alarming was the exponential growth of QR code phishing, which more than doubled its volume over the quarter. Specifically, attack volumes escalated from 7.6 million in January to an impressive 18.7 million in March, marking a 146% increase. This trend saw a notable surge in February and March, following a dip in January, ultimately leading QR code phishing to reach its highest monthly volume in at least a year by the quarter's end. These malicious QR codes are embedded with fraudulent web links, distributed within email bodies or as attachments, aiming to ensnare unsuspecting users.

Evolving Attack Vectors

Beyond the alarming rise of QR code phishing, attackers are employing a variety of sophisticated methods to bypass security measures and harvest user credentials. Link-based email threats constituted a significant portion of attacks, accounting for 78% in January, while malicious payloads made up 19%. However, these figures demonstrated fluidity throughout the quarter. Another notable tactic is CAPTCHA-gated phishing, where fake versions of the human verification tests are used as a ruse to conceal malicious content. By compelling users to complete these deceptive CAPTCHAs before accessing the actual payload, threat actors effectively reduce the chances of automated security tools detecting the threat, thereby increasing the likelihood of successful credential theft or malware deployment. These attacks are delivered through various formats, including HTML attachments, SVG files, PDF documents, DOC/DOCX files, and direct email links, with attacker preferences for these formats fluctuating.

Deceptive Email Tactics

To successfully lure victims, cybercriminals are increasingly incorporating deceptive elements into their phishing emails, aiming to build trust and reduce suspicion. A common strategy involves the use of counterfeit confidentiality disclaimers, mirroring those frequently found at the conclusion of legitimate corporate communications. This tactic is designed to create a false sense of legitimacy, making the phishing email appear as a standard, professional message. Furthermore, reports indicate that in March, the U.S. Federal Bureau of Investigation (FBI) issued an advisory warning about ongoing phishing campaigns being orchestrated by cyber actors with ties to the Russian Intelligence Services (RIS). This highlights the high-stakes and sophisticated nature of current cyber threats, involving both technical ingenuity and state-sponsored elements.