This repository contains a security advisory addressing the growing threat of malicious QR code sticker overlays — commonly referred to as "quishing" — in which a threat actor places a fraudulent QR code over a legitimate one on an organization's physical signage or materials. When scanned, the overlaid code redirects end users to phishing pages, credential-harvesting flows, or malware downloads on their personal devices.
The advisory was written independently as a general-purpose resource for organizational leadership across industries. It is not tied to a specific incident or organization. It is classified as PUBLIC (TLP:CLEAR) and intended for broad distribution.
QR codes have become a standard part of how organizations interact with customers, patients, and guests — and most of those organizations have no inspection protocol, detection capability, or escalation procedure for physical tampering. The attack requires no technical sophistication, costs virtually nothing to execute, and exploits trust that the organization itself has built through its own branding. Despite that, most security guidance treats QR-based threats as a footnote to email phishing rather than as a distinct physical-security problem with its own risk profile.
I wrote this advisory because the gap between how widely QR codes are deployed and how rarely their physical integrity is verified represents a meaningful and underaddressed risk. I'm sharing it here because the work demonstrates a set of skills that are difficult to show through certifications or job titles alone: the ability to identify an emerging threat vector, assess its business impact across multiple dimensions, and communicate that analysis to a non-technical audience in a format that supports decision-making.
- Threat Analysis: A detailed breakdown of the quishing attack lifecycle — from pre-condition through exploitation — explaining how the attack unfolds and why it scales effectively across multi-location operations
- Industry Risk Assessment: Evaluation of elevated risk across seven industry sectors (restaurants, retail, healthcare, hospitality, financial services, transportation, and higher education) based on QR code usage volume, customer interaction patterns, and data sensitivity
- Business Impact Analysis: Assessment of organizational consequences including end-user harm, brand and revenue impact, regulatory exposure under frameworks such as HIPAA, GDPR, CCPA, and PCI DSS, and operational scale risk for multi-location deployments
- Detection & Monitoring Guidance: Practical indicators of compromise (physical, customer-signal, and digital), monitoring methods designed to integrate into existing operational workflows, and a tiered escalation protocol scaled to incident scope
- Regulatory Mapping: Identification of privacy and data protection frameworks potentially implicated by QR-initiated data collection and the obligations they impose
- Threat Intelligence & Analysis — Identifying an emerging physical-security threat vector, analyzing its mechanics and scalability, and assessing its relevance across multiple industries before it becomes a widespread incident
- Risk Communication & Executive Briefing — Structuring a security advisory for a non-technical leadership audience, balancing technical accuracy with accessibility, and organizing findings to support prioritization and resource allocation decisions
- Regulatory Awareness — Mapping a physical-security threat to its downstream regulatory implications across multiple frameworks (HIPAA, GDPR, CCPA/CPRA, PCI DSS, state privacy laws) without overstating applicability
- Operational Security Design — Developing detection, monitoring, and escalation guidance that integrates into existing business workflows rather than requiring new infrastructure or dedicated staffing
- Technical Writing — Producing a polished, publication-ready advisory with consistent structure, precise language, and appropriate scoping disclaimers — written to a standard suitable for distribution to compliance, legal, and executive stakeholders
Is this based on a specific incident?
No. Unlike my HIPAA Security Vulnerability Disclosure Report, which documented specific observed vulnerabilities at a healthcare facility, this advisory addresses a general threat applicable across industries. It was informed by documented incident reporting from the FBI IC3, FTC, and HHS HC3, as well as industry press coverage of quishing attacks throughout 2024 and 2025.
Why a security advisory instead of a vulnerability disclosure?
The two serve different purposes. A vulnerability disclosure documents specific findings at a specific organization and is submitted to that organization for remediation. A security advisory addresses a broader threat pattern and is designed for wide distribution to help multiple organizations assess their own exposure. This project is the latter — it's a proactive risk communication tool, not a reactive incident report.
Who is the intended audience?
Organizational leadership and management — specifically operations, marketing, security, IT, and compliance decision-makers at organizations that deploy QR codes in customer-facing or public environments. The advisory is deliberately written for non-technical readers who need to understand the risk and assign accountability, not implement technical controls themselves.
Why is the severity rated HIGH?
Three factors drive the rating: the attack requires only seconds of unsupervised physical access to execute, it scales trivially across locations using identical campaign materials, and the resulting harms — credential theft, payment fraud, brand damage, and regulatory exposure — create substantial organizational liability. The combination of high likelihood and meaningful impact justified the rating.
How does this relate to your HIPAA disclosure project?
They're complementary. The HIPAA disclosure demonstrates reactive security work — identifying existing vulnerabilities, documenting them against a regulatory framework, and reporting them responsibly. This advisory demonstrates proactive security work — analyzing a threat pattern before it results in an incident, assessing cross-industry applicability, and producing guidance that helps organizations reduce exposure. Together, they represent both sides of security communication.
| File | Description |
|---|---|
Security_Advisory_QR_Code_Overlays.pdf |
The full security advisory document |
README.md |
This file |
If you'd like to discuss this project, my approach to security analysis, or my qualifications, feel free to reach out via LinkedIn.
This advisory reflects my independent analysis and is not affiliated with or endorsed by any organization referenced within it. It is classified as PUBLIC (TLP:CLEAR) and is intended for broad distribution to support organizational security awareness.
