- QR phishing, also known as quishing, is a rising scam where attackers try to trick you into scanning fake QR codes
- Cybercriminals may target your personal data, login credentials, bank accounts, or try to infect your smartphone with malware
- These QR codes can be found everywhere, from parking lots to museums
You might be used to receiving scam emails or texts, but did you know that you can also get scammed through a QR code? This increasingly common form of scam is referred to as quishing – and it’s been spreading rapidly again recently.
According to CNBC, 73% of Americans have scanned a QR code without verifying that the source link was safe, and NordVPN has discovered that 26 million have been directed to malicious websites as a result.
Meanwhile, in the UK, Action Fraud (the national reporting centre for fraud and cybercrime) recently revealed that £3.5 million had been lost to quishing scams in the year leading up to April 2025.
These scam QR codes are being used for anything from sending fake payment links to installing malware on your phone. Here’s everything you need to know about the latest quishing attacks and how to protect yourself from them.
What exactly is quishing?
Quishing is a form of phishing that is done entirely via a QR code. While it wasn’t as widespread just a few years ago, it skyrocketed during the pandemic, when QR codes became more than just a fun little quirk.
Over the last few years, QR codes have permeated the fabric of our daily lives. We see them everywhere, from TV commercials to restaurant menus or flyers. Unfortunately, QR codes are inherently opaque. It’s hard to verify how secure a link is at a glance, which makes these codes easy to tamper with.
The way it works is shockingly simple. Whether the scam QR code pops up in an email or elsewhere, it’s always accompanied by something that’ll get you to scan it. Payment prompts, medical forms, or product information are common targets. When you scan the code and click through, you’ll be taken to the next part of the scam, which is either a website or a script that installs malware in your phone.
Unfortunately, if the code has been tampered with, the target website is a scam. At best, it’ll steal however much you’re trying to pay for parking; at worst, it might compromise your phone or your banking login credentials.
Are QR codes in public places safe to use?
While QR codes found in restaurants or museums seem like a safe bet, that isn’t always the case – not anymore.
Unlike phishing emails, QR codes have a strong real-world impact. It’s all too simple for threat actors to tamper with legitimate codes found in public spaces. That said, the threat is much greater at open public spaces, rather than indoor ones.
For example, at a parking lot, scammers physically replace the sticker at the parking meter, directing people to a legitimate-looking website where they can pay their parking bill. The same can be done with posters or flyers found just about anywhere.
It’s important to remember that this isn’t niche, and it can happen to anyone. KeepNet Labs found that QR codes are an increasingly common medium for sending phishing links, with a whopping 26% of all malicious links being delivered that way.
How to stay safe
Quishing, much like all other forms of scams, relies on creating a sense of urgency. Whether it’s an exciting offer or a serious-looking payment reminder, quishing scammers want you to scan the code and proceed without asking questions. That’s why the best way to stay safe is to be vigilant and take your time.
Let’s say that you received a QR code embedded in an email that tells you to secure your account, enable multi-factor authentication, or get a discount code. Don’t trust it right away – it could be a scam. Even a legitimate-looking email address might not mean that you’re in the clear, as scammers can hijack accounts to send out those QR codes.
To stay safe, don’t take any unexpected email at face value. If a service tells you that your account has been compromised, don’t scan any codes in that email. Instead, go to the website or app directly and change your login credentials there, without interacting with the content of the email.
When faced with QR codes in places where they might have been tampered with, it’s better to take your time rather than scan the code quickly. At a parking lot, don’t scan the code – go directly to the address. Only QR codes that are physically impossible for scammers to replace are safe.
If you do scan a QR code, make sure to never provide any personal information or login credentials. It’s always better to err on the side of caution. Before you follow the link to any website, look at it carefully and compare it to what you know as the real deal.
QR codes certainly make our lives easier, but unfortunately, the more widespread they are, the likelier they are to be targeted by scammers. It’s never a bad idea to invest in one of the best Android antivirus apps to protect your phone from hackers.