Quishing: When QR codes become tools for fraud
QR codes have become a natural part of our everyday lives — from restaurant menus to parking payments. But this practical technology has also opened a new door for scammers. The phenomenon is called quishing, and it’s spreading fast.
If you arrived at this article by scanning a QR code on LinkedIn, you just scanned without knowing exactly where it would take you…
That’s how many real attacks begin. A QR code can be more than a quick shortcut. It can lead you to fake login pages (phishing). Start downloads of malicious content (malware). Give attackers clues about who you are and where you work (reconnaissance). Serve as one link in a larger chain of attack preparations.
Why is this dangerous?
Hackers build a picture of your organization step by step. A single QR scan can be the starting point. The next step might be phishing, compromise, or exploitation of vulnerable systems.
This QR code was harmless. The next one could be the start of a serious attack. Do you want to understand how hackers actually work — and how you can stop them? Read on.
What is quishing?
Quishing is a form of phishing where scammers use manipulated QR codes to trick people into revealing personal information, banking details, or even installing malware. Often, real QR codes are covered with stickers that redirect to fake websites.
How big is the problem?
- Over 26 million people worldwide have been exposed to malicious QR codes.
- Around 26% of all malicious links are now distributed via QR codes.
- In the UK, drivers are particularly at risk: in 2024 alone, 1,386 cases of fake QR code scams were reported at parking machines. In just the first three months of 2025, the number was already 502.
- The total financial loss in the UK is estimated at around £3.5 million in the past year.
Why does it work?
The reason is simple: QR codes hide their destination. When you scan a code, you can’t always see where you’re being redirected until it’s too late. The pandemic made QR codes more widespread — and scammers are taking full advantage.
How can you protect yourself?
Here are some simple tips to avoid becoming a victim:
- Don’t scan everything you see: Be cautious with QR codes in public spaces, especially on posters or parking machines.
- Type the web address manually: Particularly when it involves payments.
- Check the URL carefully: Look for spelling mistakes, strange domains, or missing HTTPS.
- Use security apps: Antivirus and identity protection tools can add an extra layer of safety.
- Don’t be rushed: Scammers often rely on urgency or fear (social engineering).
- Report suspicious QR codes: To your bank, authorities, or the parking operator.
- Enable multi-factor authentication (MFA): It provides an additional safeguard if something does go wrong.
QR codes are convenient, but they’ve also become a favorite tool among scammers. Next time you consider scanning a code, pause for a moment and ask yourself: Can I trust this? A little extra caution can save you both money and frustration.
Sources
Explore more
Psychological safety and cybersecurity: How safety strengthens business decisions
Culture at Sicra: How we face today’s workplace challenges
The Digital Security Act entered into force on October 1, 2025 – what does it mean for businesses?
