Cybersecurity firm Kaspersky has reported a sharp rise in phishing emails that exploit malicious QR codes, with detections increasing more than fivefold between August and November 2025.

According to a statement from the firm on Thursday, the number of detected emails containing harmful QR codes jumped from 46,969 in August 2025 to 249,723 in November 2025.

Kaspersky said the trend reflects cybercriminals’ growing use of QR codes to hide malicious links, a technique that allows them to bypass many security solutions. It highlighted that the phishing codes are often embedded directly in email bodies but are more frequently found in PDF attachments. This method disguises the links and encourages recipients to scan them using mobile devices, which generally have weaker security than office computers.

Commenting on the trend, anti-spam expert at Kaspersky, Roman Dedenok, said, “Malicious QR codes have evolved into one of the most effective phishing tools, particularly when hidden in PDF attachments or disguised as legitimate business communications like HR updates.

“The explosive growth in November 2025 highlights how attackers are capitalising on this low-cost evasion technique to target employees on mobile devices, where protection is often minimal. Without advanced image analysis at the email gateway and safe scanning practices, organisations are left vulnerable to credential compromise and downstream breaches.”

Kaspersky added that malicious QR codes have become one of the most effective tools in phishing attacks, being commonly used in both broad campaigns and targeted attacks, often imitating legitimate business communications.

Highlighting the format of attacks, the cybersecurity firm said, “Phishing forms mimic login pages for services such as Microsoft accounts or corporate portals, designed to steal usernames, passwords, and other credentials. Fake human resource notifications prompt employees to review or sign documents, including vacation schedules or staff terminations, which lead to credential-stealing sites and fraudulent invoices or purchase confirmations in PDFs, sometimes combined with phone calls to encourage victims to “cancel” or clarify transactions, furthering social engineering attacks.”

Kaspersky advised that organisations educate staff on cybersecurity risks and implement strong email security measures to reduce vulnerability to QR code-based attacks.