QR code security for agencies: how to stop your campaign codes being hijacked

Your agency prints QR codes for a living. They go on posters, packaging, flyers, parking meters, restaurant tables and shop windows, often thousands of them, often carrying a client's brand. Almost every piece of QR security advice you will find is written for the person holding the phone: do not scan codes you do not trust, check the link before you tap. That advice is fine, but it is not written for you.

You are the publisher. You own the campaign, the artwork and the exposure when something goes wrong. If a scammer covers your client's poster with their own code, it is your client's customers who get phished and your client's brand on the scene of the crime. This guide is written for that side of the table: what quishing actually is, the three ways a published campaign gets hijacked, a defence stack you can run in practice, and the part almost everyone leaves out, a short runbook for the day a code is tampered with.

What quishing is, and why it works

Quishing is phishing where the malicious link is hidden inside a QR code instead of a clickable URL. The UK's National Cyber Security Centre and the FBI's Internet Crime Complaint Center both describe it the same way: the victim moves from a relatively defended place, a work inbox on a managed laptop, to a far less defended one, a personal phone, and the destination is invisible until it is too late.

That invisibility is the whole point. You cannot read a URL out of a QR code by eye, so the oldest safety habit in the book, hover over the link and check it, simply does not apply. A few other properties make codes unusually attractive to attackers. Scans almost always happen on a personal phone, which the NCSC notes often lacks the security controls a company puts on its own devices. A code rendered as an image slips past the email filters that scan for suspicious text links, because there is no text link to scan. And a code printed on an official-looking poster, meter or letter quietly inherits the trust of that surface, which is a social-engineering win before the victim has scanned anything.

It helps to keep the scale honest. In absolute terms this is still a small slice of fraud: the UK's national reporting service, Action Fraud, logged close to 800 QR-code fraud reports in the year to April 2025, with losses of roughly £3.5m. The reason it matters out of proportion to those numbers is direction and target. Europe's cybersecurity agency, ENISA, named quishing an emerging technique in its 2025 threat landscape report, reported volumes are climbing fast, and the surfaces being attacked are exactly the ones agencies work on every day. We touched on this when we compared dynamic and static QR codes; here is the full defensive picture.

The three ways a published campaign gets hijacked

Not every quishing attack is your problem to solve. These three are, in descending order of how directly they involve the codes you put into the world.

1. The sticker overlay

This is the one that is genuinely about you. An attacker prints a sticker with their own QR code, made to look just like yours, and sticks it straight over the real code on a poster, a parking meter, a menu or a shop window. It scans perfectly, because it is a perfectly valid code, it just points at a convincing clone of the real payment or sign-up page. The victim never sees your destination at all.

This is not theoretical. The US Federal Trade Commission warned in December 2023 about scammers covering parking-meter codes with codes of their own. American cities have issued formal advisories since: Orlando recovered around 200 fake stickers downtown, Redondo Beach in California found roughly 150 affected meters, and New York's transport department put out a citywide warning. In the UK, a 2025 freedom-of-information investigation found that of 373 councils that responded, about one in three said their car parks had been hit by fake QR codes in the previous year. The pattern is always the same: a high-traffic public surface, a believable clone, and a brand that is not the attacker's taking the reputational hit.

2. Brand impersonation away from your poster

In the second pattern the attacker never touches your artwork. They register a lookalike domain, clone your client's landing page, and drive traffic to it through their own posters, texts or emails. Your real campaign is untouched, but your client's brand is being worn by a fake.

Generic link shorteners make this easier than it should be. If your poster sends people to a bare, unbranded short link, your audience has no way to tell your link from an impostor's, because both look like anonymous strings. The destination is unverifiable by eye, which is the opposite of what you want on a public surface.

3. The code in the inbox

The third pattern is less about your printed campaign and more about how your own team and clients communicate, but it shapes one firm rule, so it belongs here. Because a QR code is an image, it sails past the email gateways that strip and reputation-check text URLs: there is no link in the text to check. Security researchers keep documenting how far attackers will push this. The SANS Internet Storm Center recorded a campaign in late December 2025 that built the QR code out of a 35-by-35 grid of HTML table cells, so there was not even an image file to inspect. Acronis has documented codes split across two images in a PDF that only assemble when a human looks at them.

The takeaway for a publisher is a discipline, not a panic: do not put bare QR codes into outbound customer email that asks anyone to log in or pay. If you train your audience to scan a code in an email and enter credentials, you are teaching them to do the exact thing the attacker needs, and you have made the attacker's job easier for every brand, not just your client's.

The defence stack for the publisher

No single control fixes this. The job is to layer a few of them so that an attacker has to beat several at once, and so that when one fails you can detect it and respond. The map below reads from the attacker's sticker outward, to the five places you can intervene.

1. A branded domain you own, shown in plain text beside the code. A swapped sticker points at a foreign address, so an owned domain makes the fake stand out and gives a careful scanner something to verify.
2. Tamper-evident print. Lamination or a glass cover means a sticker cannot be applied over the real code without leaving a visible mark.
3. The phone's URL preview. Modern scanners show the destination before opening it, which is why a recognisable printed domain is worth the effort.
4. Scan analytics read as an alarm. A sudden flat-line at one location, or scans from a country you never targeted, flags a code that has been covered or a link that has leaked.
5. A dynamic code you can repoint. The moment you confirm tampering, you send every scan from that asset to a safe page in seconds, without reprinting a thing.

Use a dynamic code on a domain you own

A dynamic QR code does not encode the final destination. It encodes a short redirect link that you control, and that link forwards to wherever you point it. That single property buys you three things that matter for security: you can see the live destination at any time, you can change it without reprinting, and if a link is reported abused or your account is compromised you can repoint or disable it across every printed asset in under a minute. A static code, which hard-codes the URL, gives you none of that: the only fix is a reprint.

Put that redirect on a branded domain you own, something like qr.yourclient.com rather than a generic shortener. Now the URL a careful person previews before tapping is recognisably the client's, which does two jobs at once. It raises trust for the honest scan, and it makes a swapped sticker's foreign domain stand out, because the fake will not be on your domain.

Be honest about the limit, because overselling this is how people get hurt. A sticker physically pasted over your poster defeats a dynamic code completely: the attacker's sticker holds the attacker's URL, so your power to repoint your code is irrelevant to that particular scan. Dynamic codes defend the digital destination, not the paper it is printed on. They also add a dependency: every scan now routes through your provider, so that provider's uptime and account security become yours. Choose one that enforces HTTPS and protects accounts properly, and treat the limit as a reason to add the physical and detection layers below, not as a dealbreaker.

Make the real code hard to cover and easy to verify

Some of the strongest defences are physical. For high-value public placements, specify tamper-evident lamination or put the code behind glass or acrylic, so it cannot be covered cleanly without leaving a mark. Think about placement: a code within easy arm's reach on a street meter is a softer target than one set behind a counter. Print the destination domain in plain text next to the code, so your own field staff and the more careful members of the public can check that the previewed URL matches what is printed.

Design helps too. A distinctive, branded code, with your client's colour and logo set inside it within the size and contrast specs that keep it scannable, makes a plain black-and-white sticker pasted on top look obviously wrong. This works because of error correction: the highest level, H, can reconstruct a code with up to about 30 per cent of its modules obscured, which is what leaves room for a logo in the middle. Keep the logo modest, roughly a quarter of the code area or less, so you stay inside that budget.

Lock down who can change a destination

The power to repoint a dynamic code is also a risk. Anyone who can change the destination can hijack the campaign from the inside, whether that is a careless team member, a departed contractor whose access was never revoked, or an attacker who phished one of your logins. Treat the QR platform account as the sensitive asset it is: turn on multi-factor authentication, and give people the least access they need to do their job.

This is one more reason to keep each client in their own workspace with role-based access and an audit trail. If only two named people can change a given client's destinations, and every change is logged with who did it and when, both accidental and malicious changes get a lot harder, and a lot easier to unpick after the fact.

Turn your scan analytics into a tamper alarm

The same numbers you already watch to prove a campaign is working will, read slightly differently, tell you when something is wrong. The scan metrics that matter for performance double as a detection layer. A sudden flat-line at one physical location while its siblings keep performing normally is a classic signature of a code that has been covered: nobody is reaching your destination from that spot any more because the sticker is sending them elsewhere. An unexplained spike, or scans appearing from a country your campaign never ran in, can mean a short link has leaked or is being abused.

These are heuristics, not alarms with fixed thresholds, so the win is the habit rather than the exact number. Build a regular look at scan patterns into the way you run campaigns, the same way you would review spend, and you turn a reporting dashboard into an early-warning system.

What the phone does for you, and what it does not

It is worth knowing exactly how much help the scanner is, so you neither over-rely on it nor dismiss it. Most modern phone cameras show a URL preview before they open anything, which is the single most useful habit your client's customers can have, and the reason printing a recognisable domain pays off. The NCSC specifically recommends using the phone's built-in scanner rather than a downloaded scanner app, since the app itself can be untrustworthy or over-permissioned.

There are real limits, though. A URL preview only shows the address, it does not judge whether the site behind it is safe. Google Safe Browsing and similar services do flag known-bad sites in Chrome and other clients, but they are reactive by nature and miss brand-new attacker domains, which is exactly why the large scam operations cycle through tens of thousands of fresh domains to stay ahead of the blocklists. And HTTPS, the padlock, only secures the connection: a phishing clone can serve a perfectly valid padlock, so "it had the lock" is not a safety signal. The honest message to pass on to a client's audience is to read the domain, not to trust the lock.

If a code gets hijacked: a short runbook

Most security articles stop at "monitor for tampering" and leave you there. Here is what to actually do when monitoring pays off, in order.

1. Confirm it. Cross-check the analytics anomaly against the physical world. Have someone near the asset look at it, or look yourself. Is there a sticker over the code? Does scanning it land somewhere it should not? You want to be sure before you act, but minutes matter, so do not wait for certainty you cannot get.
2. Repoint or disable immediately. With a dynamic code, change the destination to a safe holding page, or back to the real one if you control it, so that every scan from that printed asset is neutralised at once, everywhere it exists. This is the moment the whole dynamic-code argument earns its keep. With a static code you cannot do this at all, which tells you what to choose next time.
3. Contain the physical asset. Get the overlay removed or the artwork replaced, and check sibling placements nearby, because attackers rarely sticker just one.
4. Report it. Tell your QR platform, and report the fraudulent clone to the domain registrar or host carrying it, and to the national fraud body: Action Fraud in the UK, the FBI's IC3 in the US. The faster a malicious domain is taken down, the smaller the blast radius.
5. Tell the client, plainly. Explain what happened, what you did, the window of exposure, and what has changed so it is less likely to recur. An incident handled openly is a trust-builder; an incident the client discovers later is the thing that loses the account. Silence is worse than the sticker.

A pre-print and post-launch checklist

Pull the above into something you can run on every campaign.

Before it goes to print:

• Use a dynamic code on a branded domain you own, with HTTPS end to end.
• Print the destination domain in plain text beside the code.
• For public surfaces, specify tamper-evident stock and a placement that is hard to cover or reach.
• Verify the destination and its certificate before the artwork ships.
• Secure the platform account itself: multi-factor authentication, and least-privilege access per workspace.

After it launches:

• Watch scan analytics for per-location flat-lines and unexpected geography or volume.
• Schedule physical inspections of high-value public codes.
• Keep the one-page runbook above where the team can find it.
• Never send bare login or payment QR codes in outbound customer email.

Frequently asked questions

Can someone hijack or replace my QR code?

Yes, most simply by covering it. A QR code has no cryptographic link to its destination, so a sticker placed over yours scans exactly like the real thing while pointing somewhere else entirely. A dynamic code helps you recover fast, because you can repoint it, but it cannot stop the physical swap on that particular poster. That is why the defence has to combine a dynamic code, tamper-evident print and scan monitoring, rather than relying on any one of them.

Are dynamic QR codes safer than static ones?

For recovery, clearly yes. A dynamic code can be repointed to a safe page in under a minute across every printed asset, whereas a static code can only be fixed by reprinting. The sticker-overlay risk applies equally to both, since that attack replaces your code rather than changing it. Dynamic codes also add a dependency on your provider, so secure that account and pick a provider that enforces HTTPS.

Does a branded domain stop QR code phishing?

No, and you should be wary of anyone who says it does. A branded domain you own is a strong layer: it makes your real link recognisable and a fake's foreign domain obvious, and it gives careful scanners something to verify. But it is a trust and detection signal, not prevention. Treat it as one part of a stack that also includes physical tamper-evidence and analytics monitoring.

How can I tell if a QR code has been tampered with?

Two ways, used together. Physically, check whether a sticker has been applied over the printed code, the corner of an overlay will often lift. Analytically, watch your scan data: a location that suddenly stops registering scans while similar placements carry on, or scans from somewhere your campaign never ran, are both red flags worth a physical check.

Do QR codes get past email security filters?

Often, yes, and that is precisely why quishing works. Because the code is an image rather than a text link, the gateways that scan and reputation-check URLs have nothing to read. Researchers have even documented codes built from HTML tables or split across PDF images to defeat scanners entirely. The practical rule for a publisher is to never put a bare QR code that asks for a login or payment into outbound email, so you are not training your audience into the habit attackers exploit.

Who is responsible if someone scans a fake code wearing my client's brand?

This is not legal advice, but the useful way to think about it is that the criminal is the culpable party, while your client still carries the reputational exposure, because their brand is what the victim saw. That gap is exactly why the publisher should treat quishing as brand protection rather than someone else's problem. The agency that can show it used dynamic codes, owned domains, tamper-evident print and active monitoring is in a far stronger position than one that did none of it.

How often should we physically inspect printed codes?

As a rule of thumb, scale inspection to the risk. Codes tied to payment or on very high-traffic public surfaces deserve frequent checks, in the busiest cases close to daily; ordinary posters and lower-risk placements can be reviewed periodically. Pair whatever schedule you set with analytics monitoring, so that a digital anomaly can trigger an off-schedule physical check.

The short version

Quishing is phishing through a QR code, and the advice that exists is mostly aimed at the people scanning, not the agencies publishing. As a publisher your exposure comes in three shapes: a sticker pasted over your real code, a lookalike domain impersonating your client away from the poster, and codes in email that slip past filters. No single control stops all three, so layer them: a dynamic code on a domain you own so you can see, change and kill the destination fast; tamper-evident, verifiable print so the real code is hard to cover; tight access control so only the right people can repoint a code; and scan analytics read as an alarm so you notice when something shifts. Then keep a one-page runbook, because the difference between a scare and a disaster is how fast you detect it and how calmly you respond.

If you do one thing this week, put your next client campaign on a dynamic code on a domain you own, and decide who is allowed to change where it points. That single move turns a hijack from a reprint and an awkward phone call into a one-minute fix.