Threat Alert

QR codes are being weaponised

Quishing attacks hide malicious links inside QR codes. Fake parking meters, restaurant menus, delivery notices, and emails are tricking people into giving up credentials and payments every day.

Protect Yourself Now Learn More
600%
Increase since 2023
1 in 4
Phishing emails use QR
89%
Target mobile devices
Education

What is quishing?

Quishing — short for QR phishing — is a social engineering attack that hides malicious links inside QR codes. Because QR codes can't be read by the human eye, victims have no way of knowing where a code leads until they scan it.

Attackers place fake QR codes on parking meters, restaurant tables, delivery notices, and in emails. When scanned, these codes redirect to convincing phishing pages designed to steal credentials, payment details, or install malware on your device.

Unlike traditional phishing links in emails, QR codes bypass email security filters entirely. The link is embedded in an image, making it invisible to automated scanning tools. This is why quishing is one of the fastest-growing attack vectors in cybersecurity.

How a quishing attack works
1
Placement — Attacker prints a fake QR code and places it over a legitimate one, or distributes it via email, flyer, or public poster.
2
Scan — Victim scans the code expecting a menu, payment portal, or document link.
3
Redirect — The code opens a malicious URL that mimics a trusted website (bank, courier, employer portal).
4
Harvest — Victim enters login credentials, payment details, or downloads malware, giving the attacker what they need.
587%
Rise in quishing attacks in the last 12 months
$44M
Estimated losses from QR code scams in 2025
72%
Of people don't check QR code links before opening
Real Threats

Where quishing happens

Fake QR codes can appear on parking meters, menus, delivery notices, and emails. These are the most common attack scenarios.

Parking Meter QR Scam
Public infrastructure attack
High

Criminals place fake QR code stickers over legitimate payment codes on city parking meters. When a driver scans the code to pay for parking, they're redirected to a convincing but fraudulent payment page that captures their credit card details. The victim believes they've paid for parking, but instead their payment information has been stolen.

What the scam looks like

  • A QR sticker placed slightly off-centre or overlaid on an existing code
  • Redirects to a payment page that doesn't match the city council's domain
  • Asks for full card details including CVV for a simple parking fee
  • No confirmation or receipt from the legitimate parking provider
URL mismatch Sticker overlay Asks for CVV No HTTPS
Restaurant QR Menu Scam
Hospitality attack
High

Post-pandemic, QR code menus have become standard in restaurants and cafes. Attackers exploit this by replacing legitimate menu QR codes with tampered stickers that redirect diners to phishing sites. These pages may mimic the restaurant's ordering system, collecting payment information or prompting users to download a malicious "menu app."

What the scam looks like

  • A QR code on a table tent or stand that has been replaced with a sticker
  • Opens a web page that immediately asks for payment details to "place an order"
  • Prompts you to download an app that isn't from a trusted app store
  • The URL doesn't match the restaurant's actual website or ordering platform
Tampered sticker Fake ordering page App download prompt
Delivery Notice QR Scam
Package delivery attack
High

Fake missed-delivery cards are left on doorsteps with a QR code to "reschedule your delivery." When scanned, the code leads to a phishing page that mimics a major courier (Australia Post, FedEx, DHL). Victims are asked to enter personal details and pay a small "redelivery fee" — but the page captures their full payment credentials.

What the scam looks like

  • A printed card left at your door claiming you missed a delivery
  • QR code to "reschedule" or "confirm delivery details"
  • Redirects to a page asking for a small fee ($1-3) for redelivery
  • Collects full name, address, phone number, and payment information
Fake courier branding Redelivery fee Personal data harvest
Office Phishing Email
Corporate credential theft
High

Employees receive urgent emails containing QR codes — "Scan to access the shared document" or "Verify your credentials before account lockout." Because the malicious link is embedded in a QR code image rather than a clickable URL, it completely bypasses corporate email security filters. This makes quishing especially dangerous in enterprise environments.

What the scam looks like

  • An urgent email from "IT Department" or "HR" with a QR code to scan
  • Claims to require immediate action — password reset, document access, MFA setup
  • QR code leads to a fake Microsoft 365, Google Workspace, or SSO login page
  • Captures corporate credentials, enabling account takeover and lateral movement
Bypasses email filters Urgency tactics Credential harvest Fake SSO page
Airport & Travel Wi-Fi Scam
Travel and public Wi-Fi attack
Medium

Posters and signs in airports, hotels, and cafes offer "Free Wi-Fi" via a QR code. When scanned, the code connects the traveller to a rogue access point or redirects to a captive portal that harvests login credentials. Some variants install device profiles or VPN configurations that allow the attacker to intercept all traffic.

What the scam looks like

  • Professional-looking poster offering free Wi-Fi through a QR code
  • The QR code URL doesn't match the official airport or hotel domain
  • Captive portal asks for email, social media login, or payment for "premium" access
  • May prompt installation of a configuration profile or certificate
Rogue access point Domain mismatch Profile install
Crypto & Payment QR Scam
Financial transaction attack
High

QR codes are commonly used for cryptocurrency wallet addresses and payment transfers. Attackers swap legitimate payment QR codes with their own wallet addresses, or create fake "payment required" QR codes in emails and invoices. Since crypto transactions are irreversible, victims have no way to recover stolen funds.

What the scam looks like

  • A QR code in an invoice or payment request pointing to an attacker's wallet
  • Fake payment portal that generates a QR code for "instant transfer"
  • Modified QR codes at point-of-sale that redirect to a different payment account
  • Crypto wallet apps that scan a QR code leading to a drainer contract
Wallet address swap Irreversible transfer Drainer contract
Protection

How to stay safe

You can't see where a QR code leads until you scan it. These steps help you avoid quishing traps.

Inspect before scanning

Look for signs of tampering — stickers placed over existing QR codes, uneven edges, or codes that look out of place. If a QR code appears damaged or modified, don't scan it.

Preview the URL first

After scanning, check the URL before tapping. Look for misspellings, unusual domains, or URLs that don't match what you expect. A parking meter shouldn't link to a random .xyz domain.

Never enter credentials

Legitimate services rarely ask for login credentials through a QR code. If a scanned code asks for your password, bank details, or personal information, close the page immediately.

Verify the source

If a QR code claims to be from a business, verify by going directly to their official website or contacting them. Don't trust QR codes on random flyers, unsolicited emails, or public posters.

Report suspicious codes

If you find a suspicious QR code in public, report it to the venue or local authorities. Removing or covering a single tampered code can protect hundreds of people from falling victim.

Use QR Code Check

QR Code Check analyses every QR code for threats before you open the link. Multi-source threat intelligence and on-device AI help you spot suspicious URLs, phishing pages, and malware — all without your data leaving your phone.

Download QR Code Check
QR Code Check

Don't scan blind

Check suspicious QR codes before opening the link. QR Code Check helps you preview risk, spot suspicious URLs, and avoid phishing traps.

Learn more about the app at qrcodecheck.app