TLDR
Scammers are using stylized QR codes with embedded logos, custom colors, rounded modules, and branded designs to make quishing attacks harder to detect. KnowBe4 research found that stylized QR codes "complicate detection" because they break the visual patterns that security tools and human reviewers use to identify suspicious codes. Traditional black-and-white grid recognition fails against QR codes that use gradients, company logos, and artistic elements. The ScamVerify™ QR scanner works regardless of QR code styling, checking the decoded URL against 74,032 URLhaus domains and 60,758 ThreatFox indicators no matter how the code looks.
What Makes a QR Code "Fancy"
Standard QR codes are black squares on a white background, arranged in a specific pattern with three positioning squares in the corners. They are immediately recognizable and, to most people, interchangeable. One looks much like another.
Fancy (stylized) QR codes modify the visual appearance while preserving the encoded data. Modern QR code generators allow extensive customization:
| Customization | Description | Scam Application |
|---|---|---|
| Logo embedding | Company logo placed in the center of the QR code | Makes fake QR codes appear officially branded |
| Color changes | Black modules replaced with brand colors | Matches corporate color schemes for credibility |
| Rounded modules | Square modules replaced with circles or rounded shapes | Creates a polished, professional appearance |
| Gradient fills | Modules use color gradients instead of solid fills | Signals "professional design" to victims |
| Background images | QR code overlaid on branded background | Blends the code into marketing materials |
| Custom shapes | Modules shaped as hearts, stars, or other icons | Creates visual appeal that distracts from scrutiny |
| Frame and CTA | "Scan me" text, borders, and call-to-action labels | Increases scan likelihood |
QR codes have built-in error correction (typically 15% to 30% of the code can be damaged or modified without affecting readability). Stylized QR codes exploit this error correction capacity to overlay logos, alter colors, and change shapes while remaining scannable.
Why Fancy QR Codes Are More Dangerous
They Build False Trust
A plain black-and-white QR code on a sticker looks generic. It could be from anyone. A stylized QR code with a company logo, brand colors, and professional design looks official. It signals that someone invested effort in creating it, which humans subconsciously associate with legitimacy.
When a scammer creates a quishing QR code with the target company's logo embedded in the center, the victim sees a "branded" QR code that feels authentic. The visual sophistication creates a credibility signal that plain QR codes lack.
They Defeat Visual Pattern Recognition
Security awareness training has taught people to be cautious of QR codes in emails and public spaces. Many people have developed a basic visual heuristic: "random black-and-white QR code = potential risk." Stylized QR codes bypass this heuristic because they look intentional, designed, and trustworthy rather than suspicious.
KnowBe4, one of the largest security awareness training companies, explicitly flagged stylized QR codes as a detection complicator. Their research noted that both automated tools and human reviewers struggle with QR codes that deviate from the standard visual format.
They Evade Automated Detection
Some email security tools have begun scanning for QR codes in image attachments. These tools typically look for the distinctive pattern of a standard QR code: black modules on a white background with three positioning squares. When the QR code uses custom colors, rounded modules, or embedded logos, these pattern-matching algorithms may fail to identify the image as a QR code at all.
| Detection Method | Standard QR Code | Fancy QR Code |
|---|---|---|
| Pixel pattern matching | Detected | May fail |
| Positioning square detection | Detected (3 squares found) | May fail (squares obscured by design) |
| Contrast analysis | High contrast (black/white) | Variable contrast (colors, gradients) |
| Human visual inspection | Recognized as QR code | May appear as "branded graphic" |
| ScamVerify QR scanner | Decoded and checked | Decoded and checked |
The last row is important. The ScamVerify QR scanner uses jsQR for server-side decoding, which works on the underlying data pattern regardless of visual styling. Colors, logos, and custom shapes do not affect the ability to decode and check the destination URL.
How Scammers Create Branded QR Codes
The tools for creating stylized QR codes are freely available and require no technical skill:
- Free online generators (QR Code Monkey, QRCode.ai, Canva) allow anyone to create branded QR codes in minutes
- Logo upload is a standard feature, allowing scammers to embed any company's logo
- Color pickers let scammers match exact brand colors using hex codes from the target company's website
- Template libraries provide pre-designed QR code styles that look professional
- Batch generation allows creating hundreds of unique branded QR codes from different templates
A scammer impersonating a bank can create a QR code with the bank's logo, brand colors, and a professional frame in under five minutes, at zero cost.
Real-World Examples of Stylized QR Code Attacks
Corporate Impersonation
Attackers send emails containing QR codes styled with the target company's branding. A fake Microsoft email includes a QR code with the Microsoft logo embedded in the center and a blue color scheme. A fake DocuSign email features a QR code in DocuSign's green brand color. The styling makes the QR code feel like an official part of the email template rather than a suspicious addition.
Physical Marketing Materials
Scammers create professional-looking flyers, postcards, and table cards with stylized QR codes. A fake "loyalty program" card with a retail brand's logo and colors, featuring a beautifully designed QR code, is far more convincing than a plain QR code on a white sticker. These materials appear in restaurant tables, community bulletin boards, mailboxes, and event venues.
Social Media Campaigns
Stylized QR codes are used in fake social media advertisements and posts. A QR code designed with a brand's visual identity, embedded in what appears to be a professional marketing graphic, gets shared and scanned without scrutiny. The visual quality of the QR code matches the professional quality people expect from legitimate brand content.
Why Traditional Advice Falls Short
Standard security advice for QR codes includes:
- "Be cautious of QR codes in unexpected places"
- "Look for signs of tampering"
- "Verify the source before scanning"
This advice works reasonably well for plain, unbranded QR codes. It fails against stylized QR codes because:
"Be cautious of QR codes" becomes harder to follow when the QR code looks like a deliberate, branded element of a legitimate communication.
"Look for signs of tampering" does not apply when the QR code is not a tampered overlay but a professionally designed image created from scratch.
"Verify the source" is undermined when the QR code itself appears to verify the source through embedded branding.
The visual sophistication of fancy QR codes neutralizes the visual heuristics that security-conscious people rely on.
How to Protect Yourself
Since visual inspection of QR codes is increasingly unreliable, protection must focus on verifying the destination rather than evaluating the appearance:
- Ignore how the QR code looks. A beautiful, branded QR code is no safer than a plain one. Appearance tells you nothing about the destination.
- Always read the URL preview before tapping. Your phone camera shows where the QR code leads regardless of its visual styling.
- Use the ScamVerify QR scanner to check any QR code against threat databases. The scanner decodes stylized QR codes just as effectively as plain ones.
- Verify independently. If a QR code claims to be from a specific company, go to that company's official website directly instead of scanning.
- Be extra skeptical of "polished" QR codes in emails. A beautifully designed QR code in an email is actually more suspicious than a plain one, because legitimate companies typically include text links, not QR codes, in their emails.
The bottom line: the fancier a QR code looks, the more reason you have to verify it before scanning.
FAQ
Can ScamVerify scan stylized QR codes with logos and colors?
Yes. The ScamVerify QR scanner uses server-side jsQR decoding that reads the underlying data pattern of the QR code regardless of visual styling. Custom colors, embedded logos, rounded modules, and other design elements do not affect the ability to decode the QR code and check the destination URL against 74,032 URLhaus domains and 60,758 ThreatFox indicators.
Are fancy QR codes always suspicious?
No. Many legitimate businesses use branded QR codes in their marketing materials. The problem is that the same tools used to create legitimate branded QR codes are available to scammers at no cost. A stylized QR code is not inherently suspicious, but it is also not inherently trustworthy. The appearance of a QR code tells you nothing about where it leads. Always verify the destination URL.
Why can't email filters detect stylized QR codes?
Most email security tools that scan for QR codes look for the standard visual pattern: black modules on a white background with three corner positioning squares. When those visual markers are altered by custom colors, rounded shapes, or overlaid logos, the pattern-matching algorithms may not recognize the image as a QR code. More advanced tools are beginning to account for stylized variants, but adoption lags behind the threat.
How do I tell a legitimate branded QR code from a scam?
You cannot tell by appearance alone. Both use the same tools and produce the same visual quality. The only reliable method is to decode the QR code and verify the destination URL. Use your phone's URL preview or the ScamVerify QR scanner to check where the code actually leads, regardless of how it looks.
