DEV Community

Denis Kisina
Denis Kisina

Posted on • Originally published at deniskisina.dev on

What Is Quishing and How to Avoid It

QR code Scanning

Scanning QR Code at Wursthall Restaurant

Quishing (or QR code phishing ) is a new twist on the familiar phishing scam. In quishing, attackers use malicious QR codes to trick victims into visiting fake websites or downloading malware. QR codes are those black-and-white square barcodes you scan with your phone’s camera. Cyber criminals know that many people trust QR codes for quick tasks (like viewing menus, paying bills, or signing up for deals), and they exploit this trust. As the Australian Cyber Security Centre explains, quishing “uses QR codes instead of text-based links” to fool people into giving up personal data or installing harmful software. Cloudflare’s security team similarly warns that quishing aims to steal sensitive information (passwords, financial data, PII – personally identifiable information) by redirecting you to malicious sites. In short, quishing replaces a clickable link with a scannable code to carry out scams.

How Quishing Works

In a typical quishing attack, a scammer generates a harmful QR code that hides a bad URL or a virus-laden file. They might email or text the QR code to you, put it on a fake flyer, or even stick it over a real QR code in a public place. When you scan the code with your smartphone camera, it takes you to a malicious website or automatically downloads malware. Often, the site will look legitimate (for example, mimicking a bank or company login page) and ask you to enter passwords or payment information. As SoSafe’s security guide explains, after scanning a quishing QR code “victims are asked to provide sensitive information like login credentials or bank details or to download malicious software”. In another twist (called QRLJacking), attackers can even swap a QR code on a login screen so that scanning it logs you into the attacker’s account instead of your own.

Quishing works so well because QR codes hide their destination. Unlike regular links, you usually can’t see where a QR code will take you until after you scan it. Many email filters also can’t read QR codes embedded in images, so a phishing email with a QR image may slip past security filters. Attackers exploit this by using urgency or curiosity: they might send a message like “Scan this code to watch a missed voicemail” or “Scan to claim a prize.” Because QR codes look official and scanning seems easy, people often don’t hesitate. But once scanned, the scammer’s trap is sprung: your device is now connected to a fake site or a malicious download.

Key steps in a quishing scam include:

  • Creation: The attacker creates a QR code that links to a fraudulent website or a malicious file (for example, a fake login page or a virus download).

  • Delivery: They place the QR code where people will scan it – this could be in an email, text message, social post, a flyer, or even a sticker on a public sign.

  • Scanning: The victim uses a smartphone to scan the code. The device is taken to the attacker-controlled site or service. Sometimes the site immediately downloads malware onto the device.

  • Exploitation: The site may ask the user to enter credentials (like passwords or credit card numbers). Once entered, the attacker steals this information. They might also gain access to the device itself if malware was installed, enabling identity theft, financial fraud, or ransomware attacks.

Common Signs of a Quishing Attack

Quishing scams use many of the same tricks as email phishing, so the red flags are similar to other scams – plus a few QR-specific ones. Watch out for these warning signs:

  • Unsolicited QR codes: Be suspicious if you receive a QR code out of the blue, especially from an unknown sender. For example, if you get an unexpected email or text saying “scan this QR code now” with no clear context, that’s a red flag.

  • Urgency or incentives: Messages that pressure you to scan quickly (“Offer ends soon!”) or promise big rewards (“Win $100 if you scan this code”) are common lures. Scammers use fear and greed to get you to act without thinking. SoSafe notes that attackers often incite “fear and urgency” to trick victims into scanning fraudulent QR codes.

  • Poor context or grammar: If the QR code comes with a generic greeting, spelling mistakes, or strange wording, treat it cautiously. Legitimate organizations usually address you by name and provide clear context.

  • Misleading placement or design: On posters, flyers, or stickers, look for signs of tampering. IBM warns to check if the QR code sticker looks pixelated, misaligned, or placed over an existing code. A sticker that doesn’t match the rest of the design (for instance, a newer-looking sticker on an old sign) could be hiding a malicious code.

  • Suspicious destination: After scanning, check the web address carefully. If your phone shows the URL or name of the site it’s going to, look for anything unusual. A slight typo or unfamiliar domain should make you back out immediately. Also be cautious if your phone suddenly asks for downloads or app permissions after scanning; attackers sometimes request extra permissions that aren’t needed for viewing content.

  • Asking for private info: Legitimate QR codes rarely ask for sensitive data. If the site you landed on immediately asks for login credentials, your Social Security number, or bank details, it’s almost certainly a scam.

  • Where you found the QR code: Consider the context. A random QR code on a street lamp or a parking meter that was never there before might be malicious. IBM notes that attackers have even pasted fake codes on devices like parking machines or menus during COVID-19 to trick people.

Always trust your instincts: if something seems off about a QR code or the website it leads to, don’t scan it.

Real-World Examples

Cybercriminals have already carried out many quishing attacks. Some notable cases include:

  • Parking meter fraud: In one Texas case, scammers placed fake QR code stickers on parking kiosks. Drivers who scanned to “pay” were taken to a bogus site and ended up handing their credit card details directly to the fraudsters. A similar scam occurred in Atlanta, where fake parking tickets with QR codes were placed on cars. The city later warned that they do not use QR codes on tickets – the codes led to scam payment pages.

  • Workplace phishing: Employees at a company received emails claiming to have a voicemail. The email had a QR code that supposedly would let them listen to the message. Scanning it took victims to a fake Microsoft login page. Unsuspecting users entered their usernames and passwords, giving the attackers direct access to their accounts.

  • Banking scam: Customers of a bank got emails or letters asking them to scan a QR code to “consent to a new data policy.” Scanning redirected them to a website that looked exactly like the bank’s login page. When customers entered their details, hackers captured their account credentials.

  • Unsolicited gift (“Brushing”) scam: Some people have received free small gifts in the mail along with a note and a QR code. The note says to scan the code to register the gift or learn about the sender. In reality, scanning takes you to a spoof website that asks for personal or financial information. The U.S. Postal Inspection Service describes this as another form of quishing, where criminals look innocent (giving a small gift) to trick you into scanning a malicious QR code.

  • Educational campaign QR: Not all QR codes are malicious, but even marketers have shown how easy it is to exploit trust. For example, a popular Coinbase ad at the 2022 Super Bowl featured a QR code that bounced around the screen, offering free Bitcoin for app downloads. This legitimate code worked brilliantly (app installs jumped 309%), but it also demonstrated how many people would scan an unknown code on a TV. Scammers have used the same idea to bait victims. In fact, just before that ad aired, news outlets reported on “crypto QR scams” where attackers forced people to withdraw money via QR-enabled crypto ATMs. These cases highlight that quishing can show up anywhere: in emails, ads, parking meters, or even free gifts.

These real incidents show that quishing is versatile. It can target anyone – commuters, shoppers, workers, or even bank customers – by using a QR code in a context where people would least expect it.

How to Protect Yourself

You can take several practical steps to reduce your risk of falling for quishing:

  • Only scan trusted QR codes: If you didn’t expect a QR code from someone, don’t scan it. Only use codes from official or known sources. IBM’s advice is clear: “Think before you scan – make sure that you’re only scanning codes from reputable sources.” If a code comes via an unsolicited email or message, verify its legitimacy first.

  • Inspect the code: When you see a QR code in public, look closely. Is it part of the original sign or does it look like a sticker slapped on later? A code that is misaligned, blurry, or placed over another code could be malicious. If it looks suspicious, don’t scan it.

  • Preview the link: Use your phone’s camera or a trusted QR scanner that shows you the URL before you open it. Many modern smartphones let you see the website address after you scan and before you tap to go there. Check that address carefully. If the URL doesn’t match what you expect (for example, it’s not the official bank site), don’t proceed.

  • Verify websites and information: If scanning leads to a website that asks for personal info, double-check everything. Look at the website’s address bar: is the domain name spelled correctly and secure (https)? Does the page design (logo, layout) match the real company’s website? If in doubt, close the site and navigate manually by typing the known website address into your browser.

  • Be cautious with downloads and permissions: Don’t download apps or files from QR codes unless you are absolutely sure of the source. If a code makes your phone ask for unusual permissions, cancel it. The Cyber.gov.au advice also says: avoid downloading apps via QR; instead, use official app stores.

  • Keep devices secure: Always install the latest updates for your phone and apps. Use a reputable security app on your device if possible. Enable two-factor authentication (2FA) on your online accounts. Even if a scammer steals your password, 2FA can block them from logging in.

  • Stay alert and informed: Learn about current scam tactics and tell others. If a deal sounds too good to be true, it usually is. The IBM security team warns not to “let the convenience of scanning a QR code cloud your good judgment”.

By following these tips — verifying codes, checking links, and maintaining good security habits — you can make yourself a much harder target for quishing.

What to Do if You’re a Victim

If you think you may have fallen for a quishing scam, act quickly:

  • Cut off the connection: If you just scanned a suspicious QR code, immediately close the website or app it opened. Avoid clicking any buttons on that site.

  • Change your passwords: If you entered any login credentials (for email, banking, or other accounts), change those passwords right away. Pick strong, unique passwords. This prevents the attacker from using stolen credentials.

  • Alert your bank or financial institutions: If you gave out any financial or personal information (like credit card or Social Security numbers), contact your bank or credit card company at once. They can monitor your accounts for fraud or freeze them if needed.

  • Scan for malware: Run a security scan on your device. If you downloaded something unwanted (an app or file) from the QR code, uninstall it and scan your phone for viruses or malware.

  • Check your accounts: Keep an eye on your bank statements, credit card activity, and credit reports for any strange charges or new accounts you didn’t open.

  • Report the scam: Tell the authorities. In the United States, you can report identity theft and phishing to the Federal Trade Commission at identitytheft.gov. The US. Postal Inspection Service asks that you email spam@uspis.gov if you see a suspicious QR code or suspect a quishing attempt in mail-related scams. Providing information about the scam can help authorities warn others and possibly catch the scammers.

  • Learn from it: Finally, make sure you and those around you are more aware. Explain the scam to friends or family so they don’t fall victim too. Prompt action can greatly reduce the damage if you’ve been targeted.

Final Thoughts

QR codes offer real convenience, but that convenience can be abused. Quishing is becoming more common as people grow accustomed to scanning codes in everyday life. The key takeaway is to stay cautious. Treat every unexpected QR code as you would a suspicious email link: stop and think before you scan. As IBM’s security team reminds us, “Don’t let added convenience lower your guard.” By following the guidelines above and remaining vigilant, you can enjoy the benefits of QR codes without becoming the next victim of quishing. In the war against cyber scams, awareness and common-sense habits are your best defenses.

Top comments (0)