Trusted by Leading Organizations
Join thousands of businesses using QRTRAC for their QR code needs
How attackers exploit QR codes to steal credentials and money — and how consumers and businesses can protect themselves.
Join thousands of businesses using QRTRAC for their QR code needs
Definition
Quishing (QR + phishing) is a cyberattack that uses QR codes to direct victims to malicious websites. Unlike traditional phishing — where a suspicious link is visible in an email — QR codes hide the destination URL, making the attack harder to spot before scanning.
Attackers use quishing because: QR codes bypass most email security filters (they appear as images, not links), most users can't see the URL before scanning, and mainstream QR adoption means victims are habituated to scanning without scrutiny.
The FBI's IC3 warned that "cybercriminals are tampering with both digital and physical QR codes to replace legitimate codes with malicious codes" — specifically targeting parking meters, cryptocurrency ATMs, and restaurant payment kiosks. Victims were directed to phishing sites designed to steal financial credentials.
They encode a URL pointing to a phishing site — often a near-perfect replica of a bank, government portal, parking payment system, or restaurant ordering page.
Common methods: a printed sticker placed over a legitimate QR code (restaurant menus, parking meters), a malicious code emailed as a document that bypasses email filters, or fake QR codes in phishing emails posing as package delivery or invoice notifications.
The phone camera shows the URL briefly — but most users tap without reading. Mobile browsers also show shorter URL previews than desktop, making domain spoofing easier to miss (e.g., "paypa1.com" instead of "paypal.com").
The phishing site looks legitimate. Victims enter login credentials, payment card numbers, or personal data. Some sophisticated attacks also attempt to install malware via browser exploits.
Unlike a scam phone call, the victim receives a normal-looking "error" or redirect. The theft happens silently. Detection often occurs only when the financial fraud or account takeover appears later.
Fake QR stickers over legitimate parking payment codes. Victims pay "parking fees" to attacker-controlled crypto wallets or fake payment pages.
Emails posing as HR, IT, or package delivery include QR codes instead of links — bypassing corporate email filters that scan URLs but not image content.
Attacker places QR code sticker over a restaurant's legitimate menu QR. Victim scans and reaches a fake "order here" page collecting payment details.
Fraudsters place QR codes near legitimate cryptocurrency ATMs directing victims to wallets the attacker controls.
SMS or email claims a package needs action. QR code leads to a credential-harvesting page mimicking FedEx, UPS, or USPS.
Fake QR codes in waiting rooms posing as patient check-in portals — capturing insurance information, Social Security numbers, and personal data.
QRTRAC's Security Approach
All your QR codes route through your verified domain. Customers learn to recognize your URL — making spoofed codes immediately suspicious.
If a code is compromised, disable it in one click. The physical code becomes inert without any reprinting.
Unusual scan patterns (location, volume, timing) surface immediately in your QRTRAC dashboard — a first signal of potential tampering.
Scan data is handled in compliance with global privacy regulations — no personal data is collected without consent.
Answers to the most important questions about QR code phishing and how to stay protected.
Quishing (QR code phishing) is a cyberattack where criminals embed malicious URLs in QR codes to direct victims to phishing sites designed to steal credentials, financial information, or install malware. The term blends 'QR' and 'phishing'. It's grown significantly since 2022 as QR code scanning became mainstream and attackers exploited the fact that most people can't preview a QR URL before scanning.
Traditional email phishing links are visible as text — trained users can hover to see the URL before clicking. QR codes are opaque: you can't see the encoded URL without scanning. Most phone cameras show the URL briefly after scanning but before the user taps to open — this is the only preview window. Additionally, QR codes bypass many email security filters because they appear as images, not links.
Before scanning: check the physical code hasn't been covered by a sticker (a common attack vector in restaurants and parking meters). After scanning: read the URL preview carefully before tapping — look for misspellings, unfamiliar domains, or HTTP (not HTTPS). Use a QR scanner app with URL preview (not just your camera app) if you're scanning unknown codes. In public: be suspicious of QR codes in unexpected locations.
Yes. The FBI's Internet Crime Complaint Center (IC3) issued a public service announcement in January 2022 warning consumers about cybercriminals tampering with QR codes at physical locations. The alert specifically warned about tampered parking meters, cryptocurrency kiosks, and restaurant payment QR codes being replaced with malicious alternatives.
Use a QR management platform (like QRTRAC) so all your codes redirect through your verified domain — if a scammer replaces your QR code with a malicious one, the new code will redirect to a different domain, making it obvious something is wrong. Monitor scan analytics: a sudden spike or location anomaly in scan data can indicate a hijacked code. Use custom-branded QR codes so customers recognize legitimate codes from your business.
No. A QR code itself cannot contain executable code or malware. QR codes encode data (typically a URL) — the danger is the URL they point to, which can lead to phishing sites or sites that attempt to exploit browser vulnerabilities. Keep your device's OS and browser updated to protect against drive-by download attempts that can occur after scanning a malicious URL.
Run QR codes your customers can trust
Custom domain, instant deactivation, anomaly analytics. Free 7-day trial.