Churches have embraced QR codes in recent years, using them for everything from digital bulletins and online giving to event registrations and sermon notes. The convenience is undeniable—just scan and go. No more paper waste, no more handling cash. But that same simplicity makes QR codes a prime cybersecurity target for bad actors looking to exploit unsuspecting congregants.

The problem? Most people scan QR codes without thinking twice about where they lead. Cybercriminals are taking advantage of this blind trust by swapping out legitimate QR codes with malicious ones, tricking users into giving away sensitive information or downloading malware. This isn’t just a theoretical threat—it’s happening, and the risks are growing fast.

QR Code Attacks Are on the Rise

QR code-based phishing, also known as "quishing," has skyrocketed in recent years. According to Recorded Future, QR code phishing attacks increased 433% in 2023, with AI-generated phishing sites making these scams even more convincing. The FBI has also issued warnings about hackers using QR codes to steal banking credentials and personal data. (Recorded Future, Cowboy State Daily).

Churches are especially vulnerable because they operate on trust. A recent HackerNoon article specifically called out places of worship as easy targets, noting how easy it is for scammers to swap out QR codes on printed materials or even post fake ones on social media. (HackerNoon).

The Breakdown in Church Security: Media and Communications vs. IT

One of the biggest vulnerabilities comes from how QR codes are created and distributed within churches. In many cases, media and communications teams generate and post QR codes without consulting IT or security personnel. This disconnect can prove disastrous.

Here’s why: most media teams focus on convenience, aesthetics, and user experience—not cybersecurity. Their goal is to make things as easy and engaging as possible for the congregation. Meanwhile, IT teams are responsible for security, data protection, and fraud prevention—but they often aren’t aware that these QR codes are being created until a problem arises.

Without IT oversight, QR codes can:

• Be linked to insecure third-party services that lack proper encryption or authentication.
• Use URL shorteners or third-party redirection tools that can be hijacked.
• Be distributed without any tracking or verification process, making it easier for bad actors to replace them.
• Not be monitored or audited for potential compromise.

If a hacker successfully intercepts or replaces a QR code linked to a donation page, event registration, or prayer request form, the church won’t even know until members start reporting fraudulent charges or stolen data. By then, the damage is already done.

Real-World Consequences: When Media and IT Don't Communicate

This lack of coordination has already led to real-world incidents. A church in Texas recently discovered that a fraudulent QR code had been circulating in their bulletin for weeks. The media team had printed a code linking to an online giving page, but a bad actor placed stickers with a different QR code over them, directing users to a fake donation site.

In another case, a megachurch’s social media team posted an event registration QR code without verifying the link with IT. Hackers quickly copied the design, posted a similar QR code in the comments, and tricked dozens of members into signing up through a fake portal—collecting names, email addresses, and phone numbers in the process.

The Hidden Dangers of Online QR Codes

While physical QR codes in church buildings are a risk, online QR codes present even bigger challenges. When churches post QR codes on websites or social media, it becomes difficult to verify their legitimacy. Hackers can easily download, modify, and redistribute these codes in phishing emails or fake social media posts, directing users to malicious sites.

Another growing tactic involves hijacking URL shorteners used in QR codes. Many churches use services like Bit.ly or TinyURL to create shorter, cleaner QR code links. However, if a hacker gains access to that URL shortener account, they can replace the destination link with a fraudulent one—without the church even realizing it.

Why Churches Must Take QR Security Seriously

Churches are built on community and trust, which makes them prime targets for these types of attacks. Unlike corporations with dedicated IT and security teams, many churches lack the cybersecurity resources needed to prevent these threats. Congregations often include elderly members and less tech-savvy individuals, making them more vulnerable to phishing scams.

Financially, the risks are significant. If hackers successfully reroute donations through fraudulent QR codes, churches could lose thousands of dollars before the issue is even detected. Worse yet, it damages trust—if members feel their financial information isn’t safe, they may hesitate to give online in the future.

How Churches Can Protect Their Congregations

To mitigate these risks, church leadership needs to bridge the gap between media and IT teams. The first step is implementing a process for reviewing and approving all QR codes before they go public. Instead of allowing media and communications teams to generate and distribute QR codes without oversight, churches should develop a security checklist, including:

• IT approval for all QR codes before distribution (both print and digital).
• Mandatory monitoring of QR codes to detect any unauthorized changes.
• Custom-branded URLs instead of third-party shorteners to prevent hijacking.
• Regular audits of QR codes to ensure they are still directing to the correct pages.

Beyond internal processes, churches should also educate their congregation. Many people don’t realize that QR codes can be used for phishing. A quick announcement during service or a note in the bulletin about only scanning QR codes from official church sources can go a long way in preventing attacks.

Final Thoughts: A Call to Action for Church Leaders

QR codes have made church operations more convenient, but they’ve also created a new avenue for cyber threats. The growing divide between media teams creating these codes and IT teams securing them is a recipe for disaster. Churches must start thinking about cybersecurity as a shared responsibility, not just a technical issue.

Technology should serve the church, not become a liability. With a few simple precautions, churches can continue to embrace digital transformation without becoming easy targets for cybercriminals.