QR Codes Are Everywhere — So Are the Scams
QR codes exploded into mainstream use during the pandemic and never left. Restaurant menus, parking meters, event tickets, product packaging, and public posters all use them. This ubiquity has made them a valuable tool for fraudsters running a tactic now widely called quishing — a portmanteau of "QR code" and "phishing."
How Quishing Works
A QR code is simply a machine-readable link. When you scan one with your phone camera, it opens a URL — exactly the same as clicking a hyperlink. The danger is that you can't see where a QR code leads before you scan it, unlike a visible URL where you might notice suspicious characters.
The Typical Quishing Attack Flow
- Placement: A scammer places a malicious QR code where real codes are expected — on a parking meter, a café table, a flyer, or even inside an email (to bypass link-scanning security filters).
- Scan: The victim scans the code, believing it leads to a legitimate service.
- Redirect: The code opens a convincing fake website — a payment portal, a login page, or a form requesting personal information.
- Theft: Login credentials, payment details, or personal data are harvested.
Where Malicious QR Codes Appear
- Parking meters and ticket machines: Stickers placed over legitimate QR codes redirect payments to scammer-controlled accounts.
- Restaurant tables and menus: Replaced or overlaid codes lead to fake ordering or payment pages.
- Public posters and flyers: "Free Wi-Fi", "Win a prize", or "COVID check-in" codes that harvest personal information.
- Email attachments and PDFs: Used to bypass email security filters that scan text-based links but not images.
- Postal mail: Increasingly, fraudulent letters (fake tax authority notices, bank letters) include QR codes leading to phishing sites.
- Social media profiles: Fake brand accounts post QR codes for "exclusive offers" or giveaways.
Why Quishing Is Particularly Dangerous
Traditional phishing links can be inspected before clicking. QR codes cannot — at least not easily. Additionally, mobile devices (the primary tool for scanning) often have less robust security software than desktop computers, giving attackers a softer target. The switch to mobile also takes users out of their familiar security-aware browsing environment.
How to Scan QR Codes Safely
Before You Scan
- Physically inspect the code. Is there a sticker placed over an original code? Does it look tampered with?
- Consider the context. Does a QR code here make sense? Was it expected?
At the Moment of Scanning
- Use a QR scanner that previews the URL before opening it. Most built-in phone cameras do this — read the URL carefully before tapping "Open."
- Check the displayed URL for the same red flags as any phishing link: misspellings, wrong domains, excessive subdomains.
After the Page Loads
- Verify the full URL in the browser address bar.
- Do not enter payment details or login credentials if anything looks unfamiliar.
- If the page asks you to download an app or allow permissions, close it immediately.
Quishing vs. Traditional Phishing: Key Differences
| Factor | Email Phishing | Quishing |
|---|---|---|
| Attack vector | Email link or attachment | Physical or digital QR code |
| URL visible before click? | Sometimes (hover to preview) | No — must scan first |
| Bypasses email filters? | Partially | Yes — image-based, not text |
| Device targeted | Desktop or mobile | Primarily mobile |
| Physical component? | No | Often yes (stickers, posters) |
Reporting a Suspected Malicious QR Code
If you find a suspicious QR code in a public place — particularly one that appears to be stuck over an original code — report it to the venue or business immediately and, if relevant, to local authorities. Screenshot the location and code for evidence. Reporting helps prevent others from being victimized.