Quishing: What It Is, How It Works, and How to Protect Yourself From QR Code Scams

Quishing is phishing carried out through a QR code. Instead of a link in an email, the attacker places a physical or digital QR that, when scanned, leads to a fraudulent website designed to steal passwords, banking data or install malware.

Quick answer

• "Quishing" = QR + phishing. The QR is just the vehicle; the attack happens on the website it redirects to.
• Common cases: fake stickers on parking meters, tampered restaurant menus, fake payment QRs, fake phone chargers in airports, emails with attached QRs.
• Before scanning: check the QR isn't a sticker placed over another one.
• When scanning: most modern phones show the URL before opening it. Read it.
• Never enter passwords or banking data on a website you reached by scanning an unknown physical QR.

What is quishing?

Quishing (from QR + phishing) is a type of attack where the cybercriminal uses a QR code to lead the victim to a malicious website without raising suspicion.

It works because:

• The user can't see the URL before scanning (the QR is opaque to the human eye).
• QR codes can't be told apart as legitimate or malicious by sight.
• The phone lowers defences it would have with an email or web link (in an email the domain is visible; in a QR it isn't).

The attacker's end goal can be:

• Stealing credentials (banking, social media, corporate email).
• Charging payments to fraudulent sites that imitate real ones.
• Installing malware or spyware on the phone.
• Collecting personal data to resell.

How does a quishing attack work?

The typical scheme has three steps:

1. The attacker creates a QR pointing to a website under their control. The site usually visually imitates a known brand (bank, parking meter, public service, restaurant).
2. They place it where the victim will scan it without suspicion: stuck over the original QR on a public sign, inside an apparently legitimate email, on a fake phone charger, on a sticker over a restaurant menu.
3. The victim scans, reaches the fake site, and fills in their data thinking it's the real one.

The last step is classic phishing. What's new is the first: the QR as a hook the user can't inspect.

Common documented cases

The most frequent:

• Parking meters: stickers with fake QRs placed over the real one. The driver scans, reaches a fake payment gateway, "pays" the parking fee, and their card details go to the attacker.
• Restaurants: a sticker over the digital menu QR. The fake site asks for an email or details "to view the menu".
• Fake tax or fine notices: a QR on a postal letter that looks official.
• Public chargers at airports: QR with fake "setup" instructions.
• Corporate emails: the QR arrives attached in a PDF to "validate your Microsoft 365 session" or similar. It bypasses email anti-phishing filters because the URL lives inside an image.
• Manipulated public ads on subway, buses, and street furniture.

The common pattern: places where people expect to scan a QR and don't question it.

How to spot a suspicious QR before scanning

Quick visual check:

• Is it a sticker placed on top of something? Look closely. A sticker over a printed sign is the clearest sign of tampering.
• Is the QR in an improvised spot (stapled paper, broken corner)? Be suspicious.
• Does it match the brand it claims to be? Pixelated logos, weird colours, typos in nearby text.
• Did you receive it by email and weren't expecting a QR? Verify through another channel first.

If in doubt, don't scan. Find the official website yourself.

How to protect yourself when scanning

Most modern phones give you a layer of protection if you use it:

1. Wait for the URL to appear before tapping it. On iPhone (iOS 11+) and Android (10+), the camera shows the URL first as a notification. Don't open it automatically.
2. Read the domain. If it claims to be "your bank" but the URL is banc0-access.xyz, it's fake. Look mainly at the main domain (what comes just before the first /).
3. Distrust shortened URLs in physical QRs. A legitimate business QR usually doesn't hide the URL behind a shortener.
4. Don't enter credentials on sites reached by scanning a public QR you don't control. If they ask you to log in, open the app or official site yourself from scratch.
5. For payments: if you're going to pay after scanning a QR, check that the URL is the official payment gateway and not a strange domain imitating it.

What to do if you've already fallen for it

Immediate steps if you entered data on a suspicious site:

• Change passwords of affected services from another device.
• If you gave bank details: call your bank and block the card. Review recent transactions.
• Enable two-factor authentication on every critical account if you didn't have it.
• Report the fraud to your country's cybersecurity authority (IC3 in the US, Action Fraud in the UK, INCIBE in Spain).
• If you suspect malware on your phone: review recently installed apps, run a reputable mobile antivirus, consider resetting the device.

For businesses: how to protect the QRs you place

If your business uses QRs (restaurants, events, transport, retail), you're a target too: if an attacker places stickers over yours, the reputational damage is yours.

Best practices:

• Print the QR onto the surface itself, not on a removable sticker. Much harder to tamper with.
• Laminate or protect outdoor QR signs.
• Periodically check the physical QRs in your business, especially payment ones.
• Use your own domain in the QR destination. Generic domains or shorteners are suspicious by themselves.
• Train your team to spot suspicious stickers on your business surfaces.
• Notify customers if you discover tampering.

Is it dangerous to generate my own QRs?

Generating your own QR isn't a risk — the QR you create for your website, WiFi or vCard isn't malicious. The risk is in other people's QRs you scan.

That said, when generating your own QRs, two things matter:

• That your generator doesn't exfiltrate the data you enter (especially important if you encode WiFi passwords, personal data in vCards or payment information). Use generators that work 100% in the browser and don't require an account.
• That the QR points to a domain you control. Avoid intermediate shorteners when possible: any compromise of the shortener turns your QRs into weapons for third parties.

QRcito generates QRs entirely in your browser and uses no redirection. The QR destination is exactly what you type.

Bottom line

Quishing is traditional phishing in new wrapping: the QR code. The favourite attack vector is a manipulated sticker in places where people expect to scan without thinking. The defence is reading the URL before opening it, distrusting suspicious stickers, and not entering credentials on sites reached through unverified QRs.

For your own QRs, make sure to generate them in tools that don't send your data to a server and don't introduce redirects you don't control.

FAQ

Is quishing the same as phishing? Almost. Quishing is phishing where the bait is a QR instead of a link or email. The fraudulent part still happens on a malicious website.

Can a QR code install a virus just by scanning it? Not directly. The QR contains no executable code, just data (usually a URL). The damage happens in what comes next: if the URL leads you to download a malicious app or a fraudulent site, that's where the risk lives.

Is it safe to scan a QR in a restaurant or on an official sign? Usually yes, but check there are no stickers placed over the original. If the URL the phone shows looks strange or uses a shortener, don't open it.

Does an antivirus help against quishing? Some paid QR readers have filters against malicious domains. Most native cameras don't, but they do show the URL before opening it. That URL is your first line of defence.

How do I know if the site a QR took me to is official? Look at the main domain in the browser bar, check the HTTPS certificate, and compare with the official website by searching Google yourself. If it doesn't match exactly, don't enter data.