Back to Knowledge Hub
Security • Privacy • Guide • Quishing • Phishing

What is Quishing? QR Code Phishing Explained (2026 Guide)

February 14, 2026 Security Team

QR codes are everywhere. Restaurants use them for menus. Parking meters use them for payments. Businesses use them for contact tracing.

But criminals use them too.

Quishing is a new type of phishing attack that uses QR codes to trick you. It is growing fast because QR codes hide the destination URL. You cannot see where the code will take you until you scan it.

This guide explains what quishing is, how it works, and how to protect yourself.

What is Quishing?

Quishing is short for "QR code phishing."

It is a scam where attackers use fake or tampered QR codes to steal your information. The QR code looks normal, but it leads to a malicious website.

The goal is usually to:

  • Steal your login credentials (username and password)
  • Steal your credit card information
  • Install malware on your device
  • Trick you into sending money

Quishing works because most people trust QR codes. They scan without thinking. They do not check the URL before clicking.

How Quishing Attacks Work

Step-by-Step Attack Process

  1. Attacker creates a fake QR code - The code links to a phishing website that looks like a real company (bank, payment app, government site)
  2. Attacker distributes the QR code - Sticker placed over a legitimate QR code, sent via phishing email, posted on social media, or printed on fake flyers
  3. Victim scans the QR code - Most scanners open the link automatically without showing the URL first
  4. Victim lands on fake website - Site looks identical to the real one and asks for login credentials or payment information
  5. Victim enters information - Attacker captures the data

Why Quishing is Effective

Quishing bypasses traditional security measures.

Email filters cannot detect it: Email security scans text and links. QR codes are images, not text. Filters cannot read what is inside the QR code.

People trust QR codes: QR codes became normal during COVID-19. People scan without questioning. Physical QR codes (stickers, posters) seem more trustworthy.

URLs are hidden: You cannot see the destination before scanning. Many scanners open links automatically. No time to verify the URL is safe.

Real-World Quishing Examples (2024-2026)

Parking Meter Scams

What happened: Attackers placed fake QR code stickers on parking meters in major cities. Stickers covered the legitimate payment QR codes. Victims scanned to pay for parking. Fake website looked identical to the real parking payment site. Victims entered credit card information. Attackers stole the card details.

Cities affected: Austin Texas (2024), San Francisco California (2025), Chicago Illinois (2025), Multiple cities in the UK (2025-2026)

How to avoid: Check if the QR code sticker looks tampered with. Use the parking app directly instead of scanning codes. Verify the payment URL before entering card details.

Restaurant Menu Scams

What happened: Fake QR codes placed on restaurant tables. Codes claimed to link to the menu. Actually linked to phishing sites asking for payment. Some asked victims to "pre-pay" for their meal. Others asked for credit card to "verify age" for alcohol.

Red flags: Menu QR code asks for payment before ordering. Site requests credit card for "verification". URL does not match the restaurant name.

Email Phishing with QR Codes

What happened: Phishing emails with QR codes instead of text links. Email claims to be from your bank, PayPal, or Microsoft. Says your account is locked or payment failed. QR code leads to fake login page. Victims enter credentials, attackers steal accounts.

Why it works: Email filters do not scan QR codes. People scan with their phone while reading email on computer. Creates separation between seeing the email and entering data.

Example email subjects: "Your account will be suspended - Scan to verify", "Payment failed - Scan QR code to update billing", "Security alert - Immediate action required"

How to Spot a Quishing Attack

Use this checklist before scanning any QR code.

Physical QR Codes (stickers, posters, menus):

  • Is the sticker placed over another sticker?
  • Does the sticker look professionally printed or homemade?
  • Is the QR code in an unusual location?
  • Does the surface around it look tampered with?
  • Is there a legitimate alternative (app, website, phone number)?

Digital QR Codes (emails, messages, social media):

  • Did you expect this QR code?
  • Does the sender email address look legitimate?
  • Is there urgency or threats ("act now or account closes")?
  • Could you visit the website directly instead of scanning?
  • Does the message have spelling or grammar errors?

After Scanning (before clicking):

  • Does the URL match the expected website?
  • Is it HTTPS (secure) or HTTP (not secure)?
  • Does the domain name look suspicious (extra letters, misspellings)?
  • Is it a shortened URL (bit.ly, tinyurl) hiding the real destination?

If any answer is "yes" to the warning signs, do not proceed.

How to Protect Yourself from Quishing

  1. Use a scanner that shows the URL first - Most phone cameras open links automatically. Use a scanner that shows you the URL before opening it, lets you copy the URL to check it, warns you about suspicious domains, and does not auto-redirect. Our scanner does all of this.
  2. Verify the URL before clicking - Check that domain name matches the company, HTTPS is present, no extra words or numbers in the domain, and it is not a shortened URL.
  3. Never scan QR codes from unexpected emails - Do not scan it. Go to the company website directly. Log in through the official app. Call the company to verify.
  4. Check physical QR codes for tampering - Look for signs of tampering (peeling edges, overlays). Compare with nearby codes. Use the official app or website instead.
  5. Do not enter sensitive information immediately - Verify the URL carefully. Check for HTTPS. Look for the company's real domain. When in doubt, close it and visit the site directly.
  6. Enable two-factor authentication (2FA) - If attackers steal your password, 2FA stops them from accessing your account.

What to Do If You Scanned a Malicious QR Code

If you only scanned but did not enter information: You are probably safe. Close the browser tab. Do not click anything on the page. Clear your browser history and cache.

If you entered login credentials: Change your password immediately on the real website. Enable two-factor authentication. Check your account for suspicious activity. Monitor for unauthorized logins.

If you entered credit card information: Call your bank or credit card company immediately. Report the fraudulent site. Request a new card. Monitor your statements for unauthorized charges. Consider a fraud alert or credit freeze.

If you downloaded something: Do not open the file. Run antivirus software. Consider factory resetting your device if malware is found. Change all passwords from a different device.

Report the attack to authorities and the company being impersonated.

How Our Scanner Helps Prevent Quishing

Our QR scanner is built with security in mind.

  • URL Preview Before Opening: We show you the full URL before you visit it. No automatic redirects.
  • Security Warnings: We warn you about suspicious domains and shortened URLs.
  • Client-Side Processing: All scanning happens in your browser. Your data never leaves your device.
  • No Auto-Redirect: You must click to visit the URL. Gives you time to verify it is safe.
  • Copy URL Feature: Copy the URL to check it elsewhere before visiting.

Frequently Asked Questions

Q: How common are quishing attacks?

Quishing attacks increased by 587% in 2024 according to cybersecurity reports. They are becoming more common because QR codes are everywhere now, email filters cannot detect them, and people trust QR codes.

Q: Can my phone get a virus from scanning a QR code?

Scanning a QR code itself cannot give you a virus. But the website it leads to might trick you into downloading malware or exploit a browser vulnerability. Always check the URL before visiting.

Q: Are QR codes on restaurant tables safe?

Most are safe, but check for tampering. Look for stickers placed over other stickers, homemade-looking codes, or codes asking for payment before you order. Legitimate restaurant QR codes only show the menu.

Q: Should I stop using QR codes?

No, but be cautious. QR codes are convenient and mostly safe when you scan codes from trusted sources, verify the URL before clicking, and use a scanner that shows the URL first. Avoid scanning random QR codes in public places.

Q: Can businesses prevent quishing on their QR codes?

Yes. Businesses should use tamper-evident stickers, place codes in protected locations, regularly check codes for tampering, educate customers about what to expect, and use dynamic QR codes that can be disabled if compromised.

Q: What is the difference between phishing and quishing?

Phishing uses fake emails or websites with text links. Quishing uses QR codes instead of text links. Quishing is harder to detect because email filters cannot scan QR codes, URLs are hidden until you scan, and QR codes seem more trustworthy.

Q: Are shortened URLs in QR codes always malicious?

Not always, but they are risky. Shortened URLs hide the real destination. Legitimate businesses usually use their own domain in QR codes. If you see a shortened URL, copy it and paste into a URL expander to check where it really goes.

Summary

Quishing is QR code phishing. Attackers use fake QR codes to steal your information.

How to protect yourself: Use a scanner that shows the URL first. Verify the URL before clicking. Check physical QR codes for tampering. Never scan codes from unexpected emails. Enable two-factor authentication.

If you scanned a malicious code: Change passwords immediately. Contact your bank if you entered payment info. Report the attack to authorities.

Stay safe by being cautious. Not all QR codes are trustworthy.

Share this article

Continue Reading

Tech

What Data Can a QR Code Store? Capacity & Types

QR codes are more than just links. Explore the technical limits and data types of Matrix Barcodes.

Read Article
How-To

How to Scan QR Code from Screenshot or Image File

Received a QR code via email or WhatsApp? Learn how to scan it directly from a picture or screenshot without using a second device.

Read Article