QR codes are widely used, but can become the vector of phishing attacks (QRishing). To support users, we systematically developed a usable secure QR code scanner, SEQR (Security Enhanced QR code scanner). We based the SEQR's design on two systematic reviews: (i) of academic literature (2015–2025), identifying 96 papers on QRishing, and (ii) of the MITRE ATT&CK® Mobile repository, finding 36 QRishing techniques. From these two sources, we categorized 60 potential attacks, and divided them between those that SEQR addresses only at the technology level, and those where SEQR involves the users in the decision. We evaluated SEQR effectiveness in thwarting attacks in a between-subjects online study (n=556), where SEQR achieved 93.35% correct answers, compared to 75.24% for the Apple iOS QR code scanner and 65.11% for the Samsung Android QR code scanner. We implemented SEQR as an open source Android application, available on GitHub.
ACM CHI Conference on Human Factors in Computing Systems