QR Code Phishing Scams: What Is Quishing and How to Protect Yourself

Phishing has been the dominant cyber-attack vector for decades, but its delivery mechanisms keep evolving. The latest iteration, dubbed "quishing," replaces the traditional clickable link with a QR code. It is deceptively simple, remarkably effective, and growing at an alarming rate. Here is what you need to know.

What Is Quishing?

Quishing is a portmanteau of "QR" and "phishing." In a quishing attack, the adversary presents a QR code that, when scanned, directs the victim to a fraudulent website. The site typically impersonates a trusted service — a bank, an email provider, a shipping company — and harvests login credentials, payment information, or personal data.

The key innovation is the delivery format. Traditional phishing relies on clickable hyperlinks that email security gateways can parse, classify, and block. A QR code embeds the malicious URL inside an image. To the email filter, it is just a PNG or JPEG attachment — not a threat indicator. The URL is invisible to automated scanning until a human scans the code with their phone.

Real-World Quishing Examples

Parking Meter Scams

In cities across the US and UK, attackers have placed fraudulent QR code stickers on parking meters. The codes link to convincing payment portals that steal credit card information. The Austin, Texas police department issued a public warning in January 2022 after discovering fraudulent stickers on meters across the city. The attack has since been replicated in Houston, San Antonio, and multiple European cities.

Restaurant Menu Fraud

Post-pandemic, many restaurants adopted QR code menus. Attackers exploit this by placing sticker QR codes on tables that redirect diners to phishing sites masquerading as the restaurant's ordering system. The victim enters their payment card details, believing they are placing an order.

Fake Delivery Notices

Physical mail containing a QR code and a message like "Your package could not be delivered. Scan to reschedule." links to a credential harvesting page that mimics USPS, Royal Mail, or DHL. The attack leverages the fact that most people expect packages and act on delivery notices without much scrutiny.

Corporate Email QR Attacks

The most sophisticated quishing campaigns target enterprise employees. The attacker sends an email that appears to come from IT support, HR, or the CEO, instructing the employee to scan a QR code to "verify their identity," "update their MFA settings," or "review a document." Because the malicious URL is in the QR image rather than in the email body, Microsoft Defender, Proofpoint, and other email security tools often fail to flag it.

How Quishing Bypasses Traditional Security

Email security gateways are designed to inspect URLs. They follow redirects, check domain reputation, scan landing pages for phishing indicators, and compare against known-bad lists. Quishing defeats this entire pipeline by encoding the URL as pixels in an image.

Some advanced security tools have begun implementing optical character recognition (OCR) to extract URLs from QR code images, but adoption is slow and accuracy varies. Additionally, attackers can evade OCR by embedding the QR code in a PDF attachment, nesting it within an HTML email's inline CSS, or using QR codes that encode redirect chains rather than the final malicious URL.

The mobile device itself is also a factor. When a user scans a QR code on their phone, they typically leave the corporate security perimeter. The phone may not have the same endpoint protection, web filtering, or DNS-level controls that a managed corporate laptop would. The attack shifts the interaction from a protected environment to an unmanaged one.

5 Warning Signs of a Quishing Attack

1. Unexpected QR codes in email. Legitimate organizations rarely embed QR codes in email communications. If your "bank" sends you a QR code, treat it as suspicious. Call the bank directly using the number on your card, not a number in the email.
2. Urgency and threats. "Your account will be locked in 24 hours unless you verify via this QR code." Urgency is the oldest social engineering trick, and it works just as well with QR codes as with traditional links.
3. The QR code is the only call to action. Legitimate communications provide multiple contact methods. If a QR code is the sole way to take action, the sender is funneling you through a channel they control.
4. The decoded URL does not match the claimed sender. After scanning, look at the URL before opening it. Does a "Microsoft" email's QR code actually point to microsoft.com? Or does it point to m1crosoft-verify.xyz?
5. Physical QR codes that look added after the fact. A sticker placed on top of a printed code, a code that is slightly misaligned with the rest of the material, or a code on an otherwise blank surface are all physical indicators of tampering.

What to Do If You Have Scanned a Malicious QR Code

If you suspect you have already scanned a quishing code and interacted with the resulting page, act quickly:

1. Do not enter any credentials or payment information. If you have already done so, proceed to the next steps immediately.
2. Change your passwords. If you entered credentials on the phishing site, change those passwords immediately. Start with the compromised service, then change any other accounts that share the same password.
3. Enable or verify MFA. If the targeted account supports multi-factor authentication and you have not yet enabled it, do so now. If MFA was already enabled, check your MFA settings for any newly added devices or methods.
4. Monitor your accounts. Watch for unauthorized transactions, login alerts from unfamiliar locations, or changes to your account settings.
5. Report the incident. Forward the phishing email to your email provider's abuse address (e.g., [email protected]). If it targeted your workplace, report it to your IT security team immediately.
6. Scan your device. Run a security scan on the device you used to access the malicious site to check for any downloaded malware.

How PrivyQR Helps You Stay Safe

PrivyQR is designed to be a defense layer against quishing. When you scan or upload a QR code, PrivyQR decodes it and displays the full content — URL, WiFi credentials, contact card, or plain text — without automatically opening anything. You see exactly what the code contains before taking any action.

Crucially, PrivyQR processes everything client-side. The QR image data is decoded using the jsQR library running in your browser. No image data, decoded content, or scan metadata is transmitted to any server. This means there is no scan history to breach, no analytics pipeline tracking what you scan, and no third-party service that could be compromised to modify your results.

For detailed technical explanation of why this architecture matters, see our article on client-side QR scanning and privacy.