Trusted by Leading Organizations
Join thousands of businesses using QRTRAC for their QR code needs
How attackers exploit QR codes to steal credentials and money — and how consumers and businesses can protect themselves.
Join thousands of businesses using QRTRAC for their QR code needs
Definition
Quishing (QR + phishing) is a cyberattack that uses QR codes to direct victims to malicious websites. Unlike traditional phishing — where a suspicious link is visible in an email — QR codes hide the destination URL, making the attack harder to spot before scanning.
Attackers use quishing because: QR codes bypass most email security filters (they appear as images, not links), most users can't see the URL before scanning, and mainstream QR adoption means victims are habituated to scanning without scrutiny.
The FBI's IC3 warned that "cybercriminals are tampering with both digital and physical QR codes to replace legitimate codes with malicious codes" — specifically targeting parking meters, cryptocurrency ATMs, and restaurant payment kiosks. Victims were directed to phishing sites designed to steal financial credentials.
They encode a URL pointing to a phishing site — often a near-perfect replica of a bank, government portal, parking payment system, or restaurant ordering page.
Common methods: a printed sticker placed over a legitimate QR code (restaurant menus, parking meters), a malicious code emailed as a document that bypasses email filters, or fake QR codes in phishing emails posing as package delivery or invoice notifications.
The phone camera shows the URL briefly — but most users tap without reading. Mobile browsers also show shorter URL previews than desktop, making domain spoofing easier to miss (e.g., "paypa1.com" instead of "paypal.com").
The phishing site looks legitimate. Victims enter login credentials, payment card numbers, or personal data. Some sophisticated attacks also attempt to install malware via browser exploits.
Unlike a scam phone call, the victim receives a normal-looking "error" or redirect. The theft happens silently. Detection often occurs only when the financial fraud or account takeover appears later.
Fake QR stickers over legitimate parking payment codes. Victims pay "parking fees" to attacker-controlled crypto wallets or fake payment pages.
Emails posing as HR, IT, or package delivery include QR codes instead of links — bypassing corporate email filters that scan URLs but not image content.
Attacker places QR code sticker over a restaurant's legitimate menu QR. Victim scans and reaches a fake "order here" page collecting payment details.
Fraudsters place QR codes near legitimate cryptocurrency ATMs directing victims to wallets the attacker controls.
SMS or email claims a package needs action. QR code leads to a credential-harvesting page mimicking FedEx, UPS, or USPS.
Fake QR codes in waiting rooms posing as patient check-in portals — capturing insurance information, Social Security numbers, and personal data.
QRTRAC's Security Approach
All your QR codes route through your verified domain. Customers learn to recognize your URL — making spoofed codes immediately suspicious.
If a code is compromised, disable it in one click. The physical code becomes inert without any reprinting.
Unusual scan patterns (location, volume, timing) surface immediately in your QRTRAC dashboard — a first signal of potential tampering.
Scan data is handled in compliance with global privacy regulations — no personal data is collected without consent.
Answers to the most important questions about QR code phishing and how to stay protected.
Quishing (QR code phishing) is a cyberattack where criminals embed malicious URLs in QR codes to direct victims to phishing sites designed to steal credentials, financial information, or install malware. The term blends 'QR' and 'phishing'. It's grown significantly since 2022 as QR code scanning became mainstream and attackers exploited the fact that most people can't preview a QR URL before scanning.
Traditional email phishing links are visible as text — trained users can hover to see the URL before clicking. QR codes are opaque: you can't see the encoded URL without scanning. Most phone cameras show the URL briefly after scanning but before the user taps to open — this is the only preview window. Additionally, QR codes bypass many email security filters because they appear as images, not links.
Before scanning: check the physical code hasn't been covered by a sticker (a common attack vector in restaurants and parking meters). After scanning: read the URL preview carefully before tapping — look for misspellings, unfamiliar domains, or HTTP (not HTTPS). Use a QR scanner app with URL preview (not just your camera app) if you're scanning unknown codes. In public: be suspicious of QR codes in unexpected locations.
Yes. The FBI's Internet Crime Complaint Center (IC3) issued a public service announcement in January 2022 warning consumers about cybercriminals tampering with QR codes at physical locations. The alert specifically warned about tampered parking meters, cryptocurrency kiosks, and restaurant payment QR codes being replaced with malicious alternatives.
Use a QR management platform (like QRTRAC) so all your codes redirect through your verified domain — if a scammer replaces your QR code with a malicious one, the new code will redirect to a different domain, making it obvious something is wrong. Monitor scan analytics: a sudden spike or location anomaly in scan data can indicate a hijacked code. Use custom-branded QR codes so customers recognize legitimate codes from your business.
No. A QR code itself cannot contain executable code or malware. QR codes encode data (typically a URL) — the danger is the URL they point to, which can lead to phishing sites or sites that attempt to exploit browser vulnerabilities. Keep your device's OS and browser updated to protect against drive-by download attempts that can occur after scanning a malicious URL.
Transparent pricing with no hidden fees. Choose a flexible QR Code plan that scales with your business needs. Start small with our $5 Kickoff plan and upgrade as you grow.
Scale your organization with white-label solutions, SSO, and custom data residency.
$250 / month
Everything you need to manage multiple brands or clients with full white-label control.
$5,000+ / year
Global data residency, SSO, and white-glove onboarding for large organizations.
Everything you need to know about our 6 specialized plans.
| Compare Plans | Kickoff Individuals with limited needs | Startup Freelancers & creators going fully branded | Business Plus Most Popular Growing businesses wanting more power | Legendary Businesses with high-volume usage | Agency Agencies managing multiple clients | Enterprise Plus Large organizations with custom needs |
|---|---|---|---|---|---|---|
| | $5 /month
$60 $49 /year
Save 18% vs monthly
| $15 /month
$180 $100 /year
Save 44% vs monthly
| $49 /month
$588 $400 /year
Save 32% vs monthly
| $99 /month
$1188 $899 /year
Save 24% vs monthly
| $250 /month
$3000 $2500 /year
Save 17% vs monthly
| Custom Custom |
| | ||||||
|
?
Total capacity of editable QR codes. This is a total credit limit, not a monthly quota. | Upto 5 | Upto 25 | Upto 250 | Upto 500 | Custom | Custom |
|
?
Total capacity of permanent, hosted codes. This is a total credit limit, not a monthly quota. | Upto 25 | Upto 125 | Upto 1,250 | Upto 2,500 | Custom | Custom |
|
?
Unlimited tracking and scanning for all your QR codes. | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited |
|
?
Unlimited tracking and clicks for all your short links and branded URLs. | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited |
|
?
Use your own brand domain for links and QR codes. | Add-on | Add-on | 1 Included | 1 Included | Custom | Custom |
|
?
Hosted site built outside QRTRAC, using QRTRAC for hosting, CDN, and SSL. Available as an add-on. | Add-on | Add-on | Add-on | Add-on | Add-on | Add-on |
|
?
Individual logins for team members with specific permissions. | 1 | 1 | 3 | Up to 10 | Custom | Custom |
|
?
Isolated environments for multi-client or multi-brand management. | 1 | 1 | 2 | 3 | Custom | Custom |
| | ||||||
|
?
Add extra custom domains to your account anytime. | | | | | | Custom |
|
?
Add extra team members to your workspace anytime. | | | | | | Custom |
|
?
Hosted site built outside QRTRAC, using QRTRAC for hosting, CDN, and SSL. Available as an add-on. | | | | | | Custom |
|
?
Add extra team workspaces to manage multiple brands or clients. | | | | | | Custom |
|
?
Add extra dynamic QR code credits to your plan beyond the included quota. | | | | | | Custom |
|
?
One-time fee per QR code to migrate printed codes from other providers to QRTRAC. Requires your existing codes use a custom domain short URL. $3 one-time per QR code (min 100 QR codes) for Business Plus & Legendary. Included free on Agency and above. | | | $3 one-time/QR · Min 100 QR codes | $3 one-time/QR · Min 100 QR codes | Included free | Included free |
| | ||||||
|
?
Create hundreds or thousands of QR codes at once using CSV or Excel file uploads. | | | Up to 50 | Up to 500 | Custom | Custom |
|
?
Set start and end dates for your QR codes to automatically activate or expire content. | | | | | | |
|
?
Download in print-ready formats including SVG, EPS, PDF, PNG, and JPG. | | | | | | |
|
?
Use AI to generate artistic, brand-aligned QR code designs. | | | | | | |
|
?
Codes optimized for readability from any angle (360-degree). | | | | | | |
|
?
Optimized server-side redirects for zero-latency user experience. | | | | | | |
|
?
Global edge network ensures your links load instantly anywhere in the world. | | | | | | |
| | ||||||
|
?
Remove 'Powered by QRTRAC' from landing pages and short links for a cleaner look. | | | | | | |
|
?
Automatic SSL encryption for your custom domains. | Supported | Supported | 1 included | 1 included | Custom | Custom |
|
?
Fully branded short links using your custom domain. | Supported | Supported | | | | |
|
?
Customize the text at the end of your links. | | | | | | |
| | ||||||
|
?
Monitor scan activity as it happens with live updates. | | | | | | |
|
?
Comprehensive data on scans over time, peak hours, and trends. | | | | | | |
|
?
Deep insights into where your audience is located globally. | | | | | | |
|
?
Precise coordinate-level scan data with user consent. | | | | | | |
|
?
Analyze which hardware and software your customers use. | | | | | | |
|
?
Understand the preferred languages of your visitors. | | | | | | |
|
?
Easy generation of UTM-parameters for marketing attribution. | | | | | | |
|
?
Native sync to push scan events into your GA4 properties. | | | | | | |
|
?
Share results with stakeholders via protected or public links. | | | | | | |
|
?
Summary views of performance by group or campaign. | | | | | | |
|
?
Filter analytics by specific timeframes and comparison periods. | | | | | | |
|
?
View data in the time zone that matches your business operations. | | | | | | |
|
?
Export raw data for offline analysis and custom reporting. | | | | | | |
|
?
Organize links with custom tags for better filtering and reporting. | | | | | Custom | Custom |
|
?
Dedicated exports for granular traffic and referral sources. | | | | | Custom | Custom |
|
?
Add your brand logo to exported PDF and dashboard reports. | | | | | Custom | Custom |
| | ||||||
|
?
Role-based permissions (Viewer, Editor, Admin) for team members. | | | | | | |
|
?
Centralized dashboard for team-wide collaboration. | | | | | | |
|
?
Securely move QR codes and campaigns between users or accounts. | | | | | | |
| | ||||||
|
?
Create a customizable mobile landing page to host multiple links, social icons, and more. | | | | | | |
|
?
Add contact forms to your QR landing pages to capture user information. | | | | | | |
|
?
Stream videos directly from a branded landing page after a scan. | | | | | | |
|
?
Track which specific QR code or campaign generated each lead form fill. | | | | | | |
|
?
Split traffic between different URLs to test which version performs better. | | | | | | |
|
?
Gate sensitive content with a birthdate verification screen before access. | | | | | | |
|
?
Display content automatically based on the user's browser language or location redirection. | | | | | | |
| | ||||||
|
?
We adhere strictly to global data protection and privacy standards. | | | | | | |
|
?
Securely log in using your company credentials (SAML/Okta). | | | | | | |
|
?
Choose where your data is stored (US, EU, etc.) to meet regulatory needs. | | | | | | |
|
?
Priority access to our technical support team and founders. | Standard | Standard | Priority | Priority | Priority | Dedicated |
Run QR codes your customers can trust
Custom domain, instant deactivation, anomaly analytics. Free 7-day trial.