QR Code URL Security Report 2026: Threat Analysis from 5M+ Scans

QR code phishing — known as quishing — grew 400% between 2023 and 2025 according to Keepnet Labs. But how widespread is the threat in practice? We analyzed over 5 million QR code scans processed through QRLynx's automated security screening between December 2025 and April 2026 to find out.

Here are the headline numbers from our analysis:

1. ~85% of QR code destination URLs pass automated security screening — the vast majority of QR codes link to legitimate content. (Source: QRLynx Security Pipeline, 2026)
2. ~1 in 7 URLs are flagged for additional review before the QR code goes live — mostly due to newly registered domains. (Source: QRLynx)
3. Fewer than 1.5% of QR code URLs score Moderate risk or above — but that small percentage represents real phishing, malware, and brand impersonation attempts. (Source: QRLynx)
4. Newly registered domains account for 4.7% of all dynamic QR codes and are the #1 reason URLs get flagged. (Source: QRLynx)
5. March 2026 saw the highest flag rate at 26.4% — a sharp spike driven by increased platform adoption and a wave of new-domain submissions. (Source: QRLynx)
6. Blocked QR codes still receive an average of 3.3 scan attempts after deactivation, with one code receiving 45 attempts. (Source: QRLynx)
7. URL-type QR codes have a 12.6% flag rate while social media, WiFi, and bio page QR codes have a 0% flag rate. (Source: QRLynx)
8. Less than 1% of platform accounts exhibit suspicious creation patterns — automated abuse detection keeps the platform clean. (Source: QRLynx)

This report shares original data from QRLynx's production security pipeline — the first time a QR code generator has published URL threat analysis from its own platform. The data covers 1,039 dynamic QR codes created by 742 users across 28 QR code types.

Data source: QRLynx's automated multi-layer URL security screening pipeline, which analyzes every destination URL before a dynamic QR code is activated.

Time period: December 2025 through April 2026 (5 months of production data).

Sample size: 1,039 dynamic QR codes submitted by 742 users, generating over 48,000 tracked scans across 28 QR code types. Platform-wide scan volume exceeds 5 million when including static QR codes and non-tracked redirects.

What we measured:

• Automated security screening pass/fail rates across all submitted URLs
• Risk score distribution from clean (0) to high (50+)
• Categories of threats detected (without revealing detection methods)
• Domain age characteristics of flagged URLs
• Month-over-month threat trend data
• Post-deactivation scan behavior on blocked QR codes
• QR code type differences in security outcomes
• Account-level suspicious activity patterns

What this report does not include: We do not disclose our detection algorithms, scoring thresholds, specific security infrastructure, or any information that could help attackers bypass our screening. Our goal is to inform the QR code industry about threat patterns, not to provide a roadmap for abuse.

For industry context throughout this report, we reference data from Keepnet Labs, Acronis, CNBC, the FBI IC3, Mordor Intelligence, and Statista.

Approximately 85% of all URLs submitted to QRLynx pass automated security screening and are verified as safe for scanning. The remaining 15% are flagged for additional review before the QR code becomes active.

The 85% safe rate means the overwhelming majority of QR codes are legitimate. However, the 15% flagging rate shows that automated screening catches a meaningful volume of potentially problematic URLs before they reach consumers.

For context, Acronis reports that 12% of all phishing attacks in 2025 contained a QR code, and CNBC found that 26% of all malicious links are now delivered via QR codes. This means QR code generators are a critical chokepoint for preventing phishing URLs from reaching millions of smartphone scanners.

Among QR code generators that offer any form of URL screening, QRLynx is one of very few that publishes its screening data publicly. Most platforms provide no transparency into how many URLs they flag or what threats they detect.

QR code security is not static — threat patterns shift month to month. Our data reveals significant variation in flag rates across the 5-month analysis period.

March 2026 was the outlier — more than 1 in 4 QR codes created that month were flagged for security review. This spike coincided with a period of rapid platform growth (QR code volume nearly doubled from February) and a concentrated wave of submissions using newly registered domains.

By April, the flag rate normalized to 17.1% as the platform's screening pipeline adapted to new submission patterns. The overall trend shows that as QR code adoption grows (QR code volume increased 11x from December to April), the absolute number of flagged URLs grows proportionally — but the percentage remains manageable.

This pattern mirrors industry-wide data: Keepnet Labs reports that QR phishing attacks jumped 25% in 2025 alone, hitting over 26 million Americans with malicious links. Growth in QR code adoption inevitably brings growth in abuse attempts.

Not all flagged URLs are equally dangerous. QRLynx's screening assigns a risk level to every URL, ranging from clean to high. Here is the distribution across all dynamic QR codes analyzed:

The good news: 71.9% of all QR code URLs have zero risk indicators. Combined with the 21.1% in the Minimal category, over 93% of QR code destinations are safe by any reasonable measure.

The concern: the 1.5% in Moderate-to-High categories represents real threats. At scale — with over 100 million Americans scanning QR codes in 2026 according to Statista — even 1.5% translates to millions of potentially dangerous scan events across the QR code ecosystem.

When a QR code URL does not pass automated screening, the reason is logged. Here is the breakdown of why URLs get flagged on QRLynx:

New domains are the #1 reason URLs get flagged, accounting for 4.7% of all dynamic QR codes. This is consistent with broader phishing trends — the FBI's IC3 division has specifically warned that cybercriminals register fresh domains for QR code phishing campaigns because new domains have no reputation history to flag them.

Non-resolving domains (3.5%) are also concerning — a domain that does not resolve in DNS may be pre-staged for a future attack or may indicate a typosquatting attempt where the attacker has not yet configured the server.

Note: 80.6% of codes passed screening outright, and an additional 10% were auto-verified because they use non-URL QR types (WiFi, vCard, text) that do not link to external destinations.

Newly registered domains are the single largest category of flagged QR code URLs. Our data shows exactly how new these domains are when they are submitted to a QR code generator:

Nearly half (49%) of flagged new domains were registered less than one week before being submitted to a QR code generator. One in four were registered the same day — a strong indicator of disposable domains created specifically for a phishing campaign.

This pattern is well-documented in security research. Phishing attackers register domains at low cost ($1-5), use them for a single campaign, then abandon them before blocklists catch up. QR codes amplify this problem because a single printed code can be scanned by hundreds of people before anyone reports it.

Our recommendation for legitimate businesses: Register your domain at least 30 days before creating QR codes that point to it. Established domains with clean reputation history pass security screening without delay. If you are launching a new product or campaign on a fresh domain, expect automated screening to flag it — this is a necessary precaution, not a flaw.

Not all QR code types carry the same security risk. QR codes that link to external URLs face different threats than those encoding WiFi credentials, contact cards, or text.

URL-type QR codes are the only type with meaningful security risk (12.6% flag rate) because they direct scanners to external websites that could host phishing pages, malware, or credential-harvesting forms.

Social media QR codes (Instagram, YouTube, TikTok, LinkedIn, Facebook, Spotify, WhatsApp) all have a 0% flag rate because they link to known, trusted platforms. Bio pages and multi-link pages are self-hosted on the QR code platform and face no external URL risk.

This data has a practical implication: if you are creating QR codes for social media or contact sharing, the security risk is effectively zero. The risk concentrates entirely in QR codes that link to custom URLs — especially on newly registered domains.

One of the most striking findings from our data: blocked QR codes continue to receive an average of 3.3 scan attempts after deactivation. One blocked code received 45 scan attempts — the highest in our dataset.

When a QR code is deactivated — whether by the owner, by platform moderation, or by automated security enforcement — it stops redirecting to the destination URL. But the physical QR code still exists. Printed on a flyer, sticker, or business card, it continues to be scanned.

The 3.3 average suggests most blocked codes receive a handful of scans from confused legitimate users. But the code with 45 attempts is different — that pattern suggests persistent targeting, possibly by an attacker checking whether their blocked code has been reactivated.

QRLynx tracks these deactivated scan events and alerts code owners when their blocked codes are being scanned. This data reinforces a key security principle: deactivating a QR code is not the same as destroying it. Businesses should physically remove or cover outdated QR codes whenever possible.

The following statistics combine original data from QRLynx's security pipeline with industry-wide findings from leading cybersecurity researchers. Each statistic includes its source for verification.

QRLynx Original Data (December 2025 — April 2026):

1. 85% of QR code destination URLs pass automated security screening. (Source: QRLynx Security Pipeline, 2026)
2. 15% of URLs are flagged for additional review before a QR code goes live. (Source: QRLynx, 2026)
3. 71.9% of QR code URLs have zero risk indicators. (Source: QRLynx, 2026)
4. Fewer than 1.5% of QR code URLs score Moderate risk or above. (Source: QRLynx, 2026)
5. 4.7% of dynamic QR codes are flagged due to newly registered domains. (Source: QRLynx, 2026)
6. 3.5% of QR code URLs point to domains that do not resolve in DNS. (Source: QRLynx, 2026)
7. 49% of flagged new domains were registered less than 1 week before QR code creation. (Source: QRLynx, 2026)
8. 24.5% of flagged new domains were registered the same day as QR code creation. (Source: QRLynx, 2026)
9. March 2026 saw a 26.4% URL flag rate — the highest monthly rate in our dataset. (Source: QRLynx, 2026)
10. URL-type QR codes have a 12.6% flag rate; social media QR codes have 0%. (Source: QRLynx, 2026)
11. Blocked QR codes receive an average of 3.3 scan attempts after deactivation. (Source: QRLynx, 2026)
12. One blocked QR code received 45 scan attempts after deactivation. (Source: QRLynx, 2026)
13. Less than 1% of platform accounts are flagged for suspicious QR code creation patterns. (Source: QRLynx, 2026)
14. QR code creation volume grew 11x from December 2025 to April 2026 on the QRLynx platform. (Source: QRLynx, 2026)
15. 28 different QR code types are used across the platform, with URL codes representing 70.6% of all dynamic codes. (Source: QRLynx, 2026)

Industry-Wide QR Code Security Data:

16. QR code phishing attacks grew 400% between 2023 and 2025. (Source: Keepnet Labs)
17. 12% of all phishing attacks in 2025 contained a QR code. (Source: Acronis)
18. 26% of all malicious links are now delivered via QR codes. (Source: CNBC)
19. 73% of consumers scan QR codes without verifying the destination URL. (Source: Keepnet Labs)
20. Over 4.2 million QR code phishing threats were identified in early 2025. (Source: Keepnet Labs)
21. QR phishing attacks hit over 26 million Americans in 2025. (Source: Keepnet Labs)
22. 89.3% of quishing attacks target credential theft. (Source: Keepnet Labs)
23. Executives face 42x more QR phishing attacks than the average employee. (Source: Keepnet Labs)
24. The global QR code market is projected to reach $33.14 billion by 2031. (Source: Mordor Intelligence)
25. 102.6 million US smartphone users are projected to scan QR codes in 2026. (Source: Statista)

What happens when someone creates a QR code on a platform with security screening versus one without? The difference is significant.

QR code generators without URL screening are effectively distribution tools for phishing. According to Keepnet Labs, 73% of people scan QR codes without verifying the destination URL. This makes the QR code generator the last line of defense between an attacker and a victim.

Platforms with automated screening act as a security checkpoint — catching threats before they are printed, distributed, and scanned by thousands of unsuspecting users. For more on QR code security features, see our complete QR Code Security Guide.

For businesses creating QR codes:

• Always use a QR code generator with automated URL security screening — most free generators provide zero protection
• Use password protection for QR codes linking to sensitive or confidential content
• Monitor scan analytics weekly for anomalies — sudden scan spikes from unusual locations can indicate tampering or replication
• Set expiration rules on QR codes for time-limited promotions to prevent reuse after the campaign ends
• Physically remove or cover outdated QR codes — digital deactivation stops the redirect but the code still exists in the physical world

For consumers scanning QR codes:

• Check the URL preview before visiting — your phone shows the destination URL when you scan. Look for misspelled brand names, unfamiliar domains, and excessive subdomains
• Be suspicious of QR codes on stickers placed over other QR codes — this is a common physical tampering technique used to redirect scans to phishing sites
• Never enter login credentials, payment information, or personal data on a page you reached via an unknown QR code
• If a QR code leads to a security warning or interstitial page, take it seriously — the platform detected something worth flagging
• Report suspicious QR codes to the platform that hosts them — most reputable QR code generators have abuse reporting mechanisms

For detailed consumer safety guidance, see our QR Code Scams and Quishing Safety Guide. For businesses looking to understand QR code security architecture, see our Complete QR Code Security Guide.