A cybersecurity experiment conducted by Sharjah Police has revealed how easily QR codes can mislead individuals, particularly when these codes promise conveniences such as free WiFi. The police placed an unbranded QR code in a public area with a simple message, “Free WiFi”, to measure how many people would scan it without verifying its source.  The results revealed that 89 members of the public scanned the code without asking who placed it or whether it was legitimate. According to Sharjah Police, the willingness to scan unfamiliar QR codes shows how quickly people act without considering potential cyber risks.  Officers stressed that the problem lies less in technology and more in user behavior. “A single scan can expose sensitive information,” police explained, noting that malicious QR codes can redirect users to fraudulent websites, initiate spyware downloads, or facilitate unauthorized access to personal accounts. With QR codes now common in restaurants, retail outlets, and advertising, attackers increasingly rely on this familiarity to trick unsuspecting users. 

User Behavior Identified Behind Free WiFi Vulnerability 

Sharjah Police stated that cybercriminals often depend on user interaction rather than technical loopholes. The force reiterated a simple rule for digital safety: Before scanning, ask yourself, ‘Do I trust the source?’ If the answer is uncertain, police advise against proceeding.  Authorities added that awareness remains the first line of defense. As QR codes continue to be integrated into payment systems, online services, and day-to-day transactions, taking a moment to verify the legitimacy of a code can prevent digital harm.  Sharjah Police also confirmed that they will continue launching public awareness initiatives to educate residents about new cyber threats and to promote safer online habits throughout the emirate. 

A Quick Look at Global Trends 

While Sharjah’s experiment stressed the local behavioral risks, similar concerns are coming out internationally. Cyble Research & Intelligence Labs (CRIL) recently published findings on an ongoing global quishing campaign it has named “Scanception.”  According to CRIL, this campaign uses QR codes embedded in phishing emails and PDF attachments to deliver credential-harvesting links. The attack shifts the threat to personal mobile devices, often outside an organization’s security perimeter, after victims scan the code. CRIL reported over 600 unique phishing PDFs and related emails discovered in just three months, with nearly 80% registering zero detections on VirusTotal.  These PDFs often mimic enterprise workflows, such as HR documents. One example involved a fake employee handbook with four pages of professional content, ending with a prompt to scan a QR code. In another case, victims who scanned a code were ultimately funneled to a counterfeit Office 365 sign-in portal designed to steal credentials through Adversary-in-the-Middle (AITM) techniques.   CRIL noted additional evasive features, including the detection of automation tools like Selenium or Burp Suite and the use of redirected URLs from trusted platforms such as YouTube, Google, Bing, Cisco, and Medium.  Targeting has been observed across more than 50 countries, with notable activity in North America, EMEA, and APAC, and concentrated attacks on Technology, Healthcare, Manufacturing, and BFSI sectors spanning more than 70 industries. 

Strengthening Public and Organizational Awareness 

Both Sharjah Police and Cyble’s research arm, CRIL, point to the same overarching lesson: the human element remains the most targeted and most vulnerable point in modern cyberattacks. Whether through a simple fake free WiFi QR code placed in a public space or through global campaigns like Scanception, attackers continue to exploit trust, familiarity, and routine digital behavior to bypass traditional security controls.  The guidance from experts is consistent; individuals and organizations must stay vigilant, verify QR code sources, strengthen security awareness programs, and adopt tools capable of analyzing attachments, embedded QR codes, and new attack patterns. A  Cyble, recognized globally for its AI-powered threat intelligence capabilities, continues to support enterprises through real-time intelligence, autonomous analysis, and advanced detection technologies.  To understand how Cyble can enhance your organization’s visibility and resilience, you can schedule a free demo or explore its AI-native security capabilities. 

Receiving an unexpected package in the post is not always a pleasant surprise. The FBI has warned the public about unsolicited packages containing a QR code which leads to a website aimed at stealing personal data or downloading malware to the victim’s device.

The packages are often shipped without sender information, only the QR code. This is a deliberate tactic of the cybercriminals who hope that the lack of information will encourage more people to scan the code.

These packages are a modern variant of brushing scams. In brushing scams, vendors send packages containing merchandise to unsuspecting recipients, and then use the recipient’s information to post positive reviews about their products or business.

The use of QR codes is the new element in this scam. Using QR codes in items sent in the post offers the criminals a few advantages. Firstly, people may not expect to end up with their device infected by something as non-technical as a physical letter. Secondly, QR codes are typically read by mobile devices, which—unfortunately—still get overlooked when it comes to installing security software.

As we reported in our “Tap. Swipe. Scam” mobile scam report, 66% of people have scanned a QR code to purchase something. With legitimate businesses employing the use of QR codes, it’s something people are becoming very used to doing.

What many people don’t realize, or remember too late, is that scanning a QR code without the proper safety measures is like clicking a link, with one caveat. With links, we can actually check where they are leading to before we click. However, with QR codes it’s impossible for most people to discern a malicious code from a legitimate one.

How to protect yourself from brushing scams

• If you receive a package you didn’t order and it contains a QR code, do not scan it. Scanning can lead you to fake websites designed to steal your personal or financial information, or even install malware on your device.
• Legitimate businesses almost always include a return address. Treat any mystery package without sender or return information with extra caution.
• If you end up on a site asking for personal or financial information after scanning a QR code, do not enter that information. In the hands of scammers it can be used to defraud you.
• Make sure your device is on the most up to date version. Cybercriminals will take advantage of recently discovered vulnerabilities that people are yet to update and protect themselves against.
• When scanning QR codes use an app that displays the URL before opening the link. This makes it easier to establish whether it’s safe to follow the link.
• Use up-to-date and active mobile protection, preferably one that includes web protection.
• Use two-factor authentication (2FA) wherever you can to make it harder for scammers to access your accounts if they do get hold of your login details.
• Secure your identity. If your information appears to have been used for a scam, consider freezing your credit, changing passwords, and monitoring bank and online accounts for suspicious activity. Or consider using Identity Theft Protection.
• Report any brushing scams to the FBI at ic3.gov. Be sure to include as much information as possible, such as the name of the person or company that contacted you; the methods of communication used, including websites, emails, and telephone numbers; and any applications you may have downloaded or provided permissions to on your device.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.