QR codes are everywhere. Restaurants, parking meters, advertisements, product packaging. Their convenience has made them ubiquitous, but that same convenience has attracted criminals. A form of phishing called "quishing" is on the rise, and knowing how to spot malicious QR codes could save you from identity theft, financial loss, or malware infection.
What is Quishing?
Quishing (QR phishing) is a social engineering attack where criminals replace legitimate QR codes with malicious ones, or create fake QR codes that appear official. When scanned, these codes direct victims to phishing websites designed to steal credentials, install malware, or harvest personal information.
Unlike traditional phishing emails, QR codes bypass many security measures. You cannot hover over a QR code to preview the URL. Email filters cannot scan printed codes. And the sense of trust we place in physical signage makes us less cautious than we would be with an unexpected email.
The term "quishing" emerged in cybersecurity circles around 2022 as attacks increased following the pandemic-driven surge in QR code adoption. What was once a niche attack vector became mainstream as billions of people became comfortable scanning codes for menus, payments, and check-ins.
The Scale of the Problem
QR code scams are not theoretical risks. They are happening at scale:
- FBI Public Service Announcement (2022): The FBI's Internet Crime Complaint Center (IC3) issued a warning about criminals tampering with QR codes to redirect victims to malicious sites and steal financial information.
- Parking Meter Scams (2022): Police in Austin, San Antonio, and Houston discovered fraudulent QR code stickers on parking meters directing payments to criminal accounts rather than city payment systems.
- FTC Warnings (2023): The Federal Trade Commission issued consumer alerts about QR code scams appearing in fake package delivery notices, utility bills, and cryptocurrency investments.
- Email Quishing Surge: Security researchers reported a 587% increase in QR code phishing attacks in email between 2022 and 2023, as attackers discovered that QR codes in emails bypass many URL scanning tools.
These are not isolated incidents. As QR codes become standard infrastructure for payments, authentication, and information sharing, they become increasingly attractive targets.
Key Statistic
According to HP Wolf Security research, QR code scans from mobile devices increased by 323% between 2021 and 2023. More scans means more opportunities for criminals.
Common Attack Vectors
Criminals are creative, but most quishing attacks follow predictable patterns:
Physical Tampering
- Sticker overlays: A malicious QR code sticker placed over a legitimate code on parking meters, restaurant menus, or public signage. The original code still exists underneath, but victims scan the fake one on top.
- Poster replacements: Entire posters or signs replaced with identical-looking versions containing malicious codes.
- Vandalism with purpose: Legitimate codes scratched or damaged, with a "replacement" code added nearby.
Digital and Print Fraud
- Fake payment portals: QR codes in emails or letters claiming to be from banks, utility companies, or government agencies. They lead to convincing login pages that steal your credentials.
- Package delivery scams: Fake "missed delivery" notices with QR codes leading to phishing sites that request payment for redelivery.
- Fake invoices: Printed invoices with QR codes for "easy payment" that redirect funds to criminal accounts.
- Event ticket scams: Fake tickets with QR codes sold for concerts, sports events, or flights that do not work at the venue.
Network and Technical Attacks
- Malicious Wi-Fi networks: QR codes that auto-connect your device to a rogue Wi-Fi network controlled by attackers, enabling man-in-the-middle attacks.
- Cryptocurrency scams: Fake QR codes at Bitcoin ATMs or in investment materials that redirect payments to criminal wallets.
- App download redirects: Codes promising legitimate apps that instead direct to malware-laden APK downloads outside official app stores.
How QR Phishing Works
Understanding the technical flow of a quishing attack helps you recognise the warning signs:
Stage 1: The Bait
Attackers create a QR code pointing to a domain they control. This might be a lookalike domain (arnazon.com instead of amazon.com), a subdomain trick (paypal.secure-login.attacker.com), or a URL shortener that masks the final destination.
Stage 2: Distribution
The malicious code is distributed through physical placement (stickers, replaced signs), digital channels (emails with embedded QR images, fake text messages), or print materials (fraudulent letters, fake invoices).
Stage 3: The Hook
When scanned, the QR code opens a page designed to appear legitimate. This might be a login page, payment form, or download prompt. The page is crafted to match the branding of the organisation being impersonated.
Stage 4: Data Capture
Victims who enter credentials, payment details, or personal information have that data captured by the attacker. Some attacks also attempt drive-by downloads or exploit browser vulnerabilities.
| Pattern | Example | Risk |
|---|---|---|
| Misspelled domain | arnazon.com, paypa1.com | High |
| Subdomain trick | paypal.secure.attacker.com | High |
| URL shortener | bit.ly/xyz123 | Medium |
| Suspicious TLD | bank-login.xyz | High |
| IP address instead of domain | 192.168.1.1/login | High |
| Legitimate short URL | linkscan.org/s/abc123 | Low |
How to Spot a Malicious QR Code
Before scanning any QR code, take a moment to assess the situation:
1. Check for Physical Tampering
Look closely at the QR code. Is it a sticker placed over another code? Are the edges peeling? Does it look like it was added after the original signage was printed? Legitimate businesses print QR codes directly onto materials; they do not stick them on afterwards.
Run your finger over the code. If you can feel raised edges or a different texture, it may be a sticker overlay. Look at the surrounding material. Does the code match the print quality? A high-quality printed menu with a low-quality sticker code is suspicious.
2. Preview the URL Before Opening
Most modern phone cameras show a URL preview when you point at a QR code. Read it carefully before tapping. Look for:
- Misspellings (e.g., "arnazon.com" instead of "amazon.com")
- Suspicious domains (e.g., "secure-bank-login.xyz")
- Unnecessary subdomains (e.g., "paypal.secure-verify.com")
- URL shorteners that hide the final destination
- IP addresses instead of domain names
3. Consider the Context
Ask yourself: does this QR code make sense here? A code on a restaurant menu linking to their website is normal. A code on a lamp post promising free cryptocurrency is not. A handwritten sign with a QR code for a "prize" is almost certainly a scam.
Be especially wary of urgency. Messages like "Scan immediately to avoid account suspension" or "Last chance to claim your prize" are manipulation tactics.
4. Verify Through Other Channels
If a QR code claims to be from your bank, do not scan it. Instead, open your banking app directly or type the URL manually. Never log in to sensitive accounts through a scanned QR code. The few seconds saved are not worth the risk.
5. Check the Landing Page
If you do scan a code, examine the website before entering any information:
- Check for HTTPS (the padlock icon in the address bar)
- Verify the domain matches what you expected
- Look for poor grammar, low-quality images, or broken layouts
- Be wary of pages that immediately ask for login credentials or payment details
- Check if the page looks exactly like the real site. Attackers often miss small details
Quick Safety Checklist
- Preview the URL before opening. Read it carefully for misspellings or suspicious domains.
- Check for stickers, peeling edges, or signs of physical tampering.
- Verify the domain matches the expected organisation before entering any data.
- Look for HTTPS and the padlock icon on any page requesting information.
- Trust your instincts. If something feels wrong, do not proceed.
- Never enter passwords or payment details through a scanned QR code.
Mobile Security Settings
Both iOS and Android have built-in protections, but knowing how to configure them helps:
iOS (iPhone/iPad)
- Use the Camera app: It shows URL previews by default. Do not tap until you have read the URL.
- Enable Fraudulent Website Warning: Settings → Safari → Fraudulent Website Warning (on by default).
- Check Safari settings: Settings → Safari → ensure "Prevent Cross-Site Tracking" is enabled.
- Keep iOS updated: Apple patches security vulnerabilities regularly.
Android
- Use Google Lens or Camera: Most Android cameras show URL previews. Check your camera settings.
- Enable Google Play Protect: Play Store → Profile → Play Protect → Settings → Scan apps with Play Protect.
- Enable Safe Browsing: Chrome → Settings → Privacy and Security → Safe Browsing → Enhanced protection.
- Disable unknown sources: Settings → Security → ensure "Install unknown apps" is disabled for browsers.
Scanner App Considerations
While your phone's built-in camera is generally the safest option, if you use a third-party QR scanner app:
- Choose apps from reputable developers with many downloads and positive reviews
- Ensure the app shows URL previews rather than auto-opening links
- Avoid apps with excessive permissions (a QR scanner does not need access to your contacts or messages)
- Be wary of apps with aggressive advertising, as these may bundle unwanted software
What To Do If You Scan a Malicious Code
If you realise you have scanned a suspicious QR code or entered information on a phishing site, act quickly:
Immediate Actions
- Close the browser immediately: Do not interact further with the page. Clear your recent tabs.
- Disconnect from Wi-Fi: If the code connected you to an unknown network, disconnect and forget the network.
- Do not download anything: If prompted to download a file or app, decline.
If You Entered Credentials
- Change passwords immediately: Start with the compromised account, then your email (as it is often used for password resets), then banking and financial accounts.
- Enable two-factor authentication: Add 2FA to all important accounts if not already enabled.
- Check for unauthorised access: Review recent login activity, connected devices, and account settings for changes you did not make.
- Monitor for suspicious activity: Watch for unusual emails, login attempts, or transactions over the following weeks.
If You Entered Payment Information
- Contact your bank immediately: Report potential fraud and request a new card if necessary.
- Monitor transactions: Set up alerts for transactions and review statements carefully.
- Consider a credit freeze: If significant personal information was exposed.
Document and Report
- Take screenshots of the phishing page if still accessible
- Note the URL and any other relevant details
- Report to the relevant authorities (see reporting section below)
- Notify the business whose QR code was compromised, if applicable
For Businesses: Protecting Your QR Codes
If you use QR codes for your business, you have a responsibility to protect your customers:
Code Deployment
- Print, do not stick: Integrate QR codes directly into printed materials rather than using stickers that can be replaced.
- Use branded short URLs: Custom domains (e.g., qr.yourbrand.com) make it easier for customers to verify legitimacy.
- Include URL text: Print the destination URL alongside the QR code so customers can verify.
- Use consistent placement: Train customers to expect codes in specific locations, making tampering more obvious.
Monitoring and Maintenance
- Regularly inspect physical codes: Check that QR codes in public locations have not been covered or replaced. Make this part of routine maintenance.
- Monitor scan patterns: With dynamic QR codes, you can track scan counts and detect unusual activity that might indicate tampering.
- Use dynamic codes when possible: If a code is compromised, you can change the destination without replacing physical materials.
Customer Education
- Include a note explaining what URL customers should expect when scanning
- Provide alternative access methods (manual URL, app, etc.) for security-conscious customers
- Train staff to identify tampered codes and report them
Enterprise Security Considerations
Organisations face additional challenges when QR codes are used internally or by employees:
Enterprise Checklist
- Security awareness training: Include quishing in phishing training programmes. Employees should know the risks.
- Mobile Device Management (MDM): Configure managed devices to block known malicious URLs and prevent installation of apps from unknown sources.
- URL filtering: Use DNS-level filtering or secure web gateways to block access to known phishing domains.
- Incident response plan: Have a clear process for employees to report suspected quishing attempts.
- Email security: Configure email gateways to flag or quarantine emails containing QR code images.
- Approved QR platforms: Standardise on approved QR code generation platforms with security controls and audit logging.
Policy Recommendations
- Prohibit scanning unknown QR codes on corporate devices without verification
- Require multi-factor authentication for all corporate accounts
- Log and monitor QR code scans on managed devices where possible
- Establish a process for vetting QR codes before they are deployed in company materials
Where to Report QR Code Scams
Reporting quishing attacks helps authorities track trends and may help others avoid similar scams:
United States
FBI Internet Crime Complaint Center (IC3): ic3.gov
FTC Report Fraud: reportfraud.ftc.gov
United Kingdom
Action Fraud: actionfraud.police.uk
National Cyber Security Centre: ncsc.gov.uk
Australia
Scamwatch: scamwatch.gov.au
Australian Cyber Security Centre: cyber.gov.au/report
Report Phishing URLs
Google Safe Browsing: Report phishing page
Microsoft: Report unsafe site
Frequently Asked Questions
Can a QR code contain a virus?
A QR code itself cannot contain a virus or malware. QR codes only store data such as text, URLs, or contact information. However, a QR code can link to a website that attempts to download malware to your device. The risk comes from what you do after scanning, not from the code itself. Modern smartphones will not automatically download or execute files from websites without your permission.
Is it safe to scan QR codes with my phone camera?
Yes, scanning QR codes with your phone camera is generally safe because both iOS and Android show you a URL preview before opening anything. The danger comes from tapping through without reading the preview, or from scanning codes that lead to convincing phishing sites. Always read the URL preview carefully before tapping.
Can someone steal my information just by me scanning a QR code?
No. Scanning a QR code and viewing the URL preview does not transmit any personal information. Your data is only at risk if you visit a malicious website and enter information such as passwords, credit card numbers, or personal details. Simply scanning and previewing a code is not dangerous.
Are QR code payment scams common?
QR code payment scams are increasing, particularly with overlays on parking meters, fake restaurant payment codes, and cryptocurrency scams. The FBI issued a public warning in 2022 about criminals tampering with QR codes to redirect payments. Always verify you are on the correct payment platform before entering card details.
Should I use a QR code scanner app or my phone camera?
Your phone's built-in camera app is generally the safest option. Both iOS and Android cameras show URL previews before opening. Some third-party scanner apps auto-open URLs without previews, which is more dangerous. If you do use a scanner app, ensure it shows previews and comes from a reputable developer.
How can I tell if a QR code has been tampered with?
Look for physical signs: stickers placed over original codes, peeling edges, codes that do not match the quality of surrounding printed materials, or handwritten additions. Legitimate businesses print QR codes directly onto materials rather than sticking them on afterwards. If something looks off, do not scan it.
What is the difference between quishing and phishing?
Phishing uses emails, text messages, or fake websites to trick people into revealing sensitive information. Quishing is a specific type of phishing that uses QR codes as the delivery mechanism. The end goal is the same, credential theft, financial fraud, or malware installation, but quishing exploits the trust people have in physical signage and the difficulty of previewing QR code destinations.
Can QR codes track my location?
A QR code itself cannot track your location. However, if you scan a dynamic QR code and visit the linked website, that website can collect the same information any website can: your IP address (which gives approximate location), device type, and browser. This is standard web analytics, not unique to QR codes. Reputable services like LinkScan only track aggregate scan counts, not individual user data.
The Bottom Line
QR codes are a convenient tool, but convenience should never override caution. The few seconds it takes to preview a URL or check for tampering could protect you from significant harm. Criminals are opportunistic. They exploit the gap between how fast we act and how carefully we think.
The core principle is simple: treat QR codes like links in emails. You would not click a link from an unknown sender without checking where it goes. Apply the same caution to QR codes, especially those asking for login credentials, payment information, or app downloads.
At LinkScan, we build security into our platform. Our dynamic QR codes use clean, identifiable URLs (linkscan.org/s/...), we collect only aggregate scan counts rather than personal data, and we provide transparent analytics so businesses can monitor for suspicious activity. Security is not an afterthought; it is foundational.