Quishing: Using QR Codes For Cybercrime

QR codes, to me, are one of the most brilliant inventions of the modern digital era. Visually simple, yet brilliantly applicable to a diverse set of use cases: restaurant menu, UPI payment, WiFi access, business cards, digital authentication, and many more.

But while we are happily scanning our way through restaurants, parking lots, and delivery flyers, scammers are quietly turning these black‑and‑white boxes into one of their favourite weapons. Enter Quishing: phishing attacks that ride on QR codes instead of links in an email.

The Rise of Quishing: From a Niche Trick to a Mainstream Threat

Quishing has gone from a “weird new scam” to a serious global problem. One recent analysis found that QR code-based attacks are now used in roughly 22% of all phishing attacks. Email‑based quishing is a primary attack vector, with occurrences of phishing emails hiding malicious QR codes (often inside PDFs or images) jumping fivefold in 2025.

Meanwhile, surveys show that about 73% of people scan QR codes without checking the source, and millions of online users have already been redirected to malicious sites via QR scams. In short, we trust QR codes way more than we should, and attackers know it.

Quishing in Action

A QR code is just a shortcut to a URL or an online action, but the genius of quishing lies in the fact that you can’t see where it leads to, without scanning. This lets scammers bypass email filters and browser warnings that normally catch clickable links. Once scanned, the code might:

Open a fake payment page, skimming your card or UPI details,
Load a credential‑harvesting login screen,
Trigger malware downloads, or
Redirect to malicious sites.

Basically, it’s phishing that escaped the inbox and started pasting itself onto the physical world.

In the wild, quishing shows up everywhere. At restaurants and cafés, scammers slap stickers over real menus or payment QR codes, sending you to pages that ask for Google/Facebook logins or demand full card details instead of trusted gateways.

Parking meters and pay‑and‑park boards are another hotspot, where fake QR stickers lead to bogus “city parking” sites that steal card info; victims think they’ve paid but actually hand over data for future fraud.

Email quishing gets even sneakier by embedding QR codes inside PDF or JPEG attachments. These emails generally ask users to “Scan to sign HR policy,” “Update Multi Factor Authentication (MFA),” or “View secure document.” One wrong scan can compromise corporate mailboxes and cloud drives.

Posters in malls, transport, or buildings lure with “Scan to donate,” “VIP sale,” or “free Wi‑Fi,” collecting donations into scam accounts, stealing cards, or building phone/email lists for bigger scam plays in the future.

The damage from all these quishing methods is real and varied. Credential theft, account takeovers, illegal corporate access, and wallet abuse are some of the common results. Fake payments grab card/UPI details for unauthorised buys or dark web sales. Malware from scans installs spyware or ransomware, hitting unprotected devices. In businesses, spoofed IT/HR emails can lead to breaches, and a single compromised inbox can snowball into data theft, fake invoices, or company‑wide chaos.

Tips to Tackle Quishing

You don’t need to stop scanning QR codes; you just need to stop blindly scanning them.

Apply some real-world context when you encounter QR codes.
If a QR code is on a sticker slapped onto a parking meter, menu, or poster, and if it looks misaligned or covers something underneath, be wary! For QR codes in parking spaces, compare with nearby meters or signage. And, for restaurants, ask the staff if that QR code is their official code.
Preview the links that QR codes direct you to.
Most phone cameras or QR apps let you see the URL before opening it. Check for the genuineness of the URL (“mybank.com” instead of “mybank.verify-id.net”, HTTPs at the beginning, padlock sign, etc.) before proceeding.
Treat email QR codes like suspicious links.
If an email attachment or embedded image asks you to scan a QR “to update MFA,” “view a document,” or “verify your account,” do not engage immediately. Instead, go directly to the service (Microsoft 365, bank, HR portal) via your browser or official app, and check if there is actually any action pending on your account. If your company has IT/security, forward such suspicious messages to them.

If you think that you have been quished:

For payment/card issues: block the card, and dispute fraudulent charges with your bank immediately
For login/credentials: change passwords on affected accounts, enable 2FA, and review account activity
For work accounts: inform IT/security right away so they can reset access and check logs

Wrapping Up: Scan With Your Brain, Not Just Your Camera

QR codes are here to stay, as they are just too convenient. But convenience without caution is exactly what scammers bank on. Quishing works because most people treat QR codes like harmless technology, not potential trapdoors.

Next time you see a little black‑and‑white square, pause and take a deeper look. Check where it is, where it wants to take you, and what it’s asking for. Let your camera do the scanning, but let your common sense decide what happens next.

The Rise of Quishing: From a Niche Trick to a Mainstream Threat

Quishing in Action

Open a fake payment page, skimming your card or UPI details,
Load a credential‑harvesting login screen,
Trigger malware downloads, or
Redirect to malicious sites.

Basically, it’s phishing that escaped the inbox and started pasting itself onto the physical world.

Tips to Tackle Quishing

You don’t need to stop scanning QR codes; you just need to stop blindly scanning them.

Apply some real-world context when you encounter QR codes.
If a QR code is on a sticker slapped onto a parking meter, menu, or poster, and if it looks misaligned or covers something underneath, be wary! For QR codes in parking spaces, compare with nearby meters or signage. And, for restaurants, ask the staff if that QR code is their official code.
Preview the links that QR codes direct you to.
Most phone cameras or QR apps let you see the URL before opening it. Check for the genuineness of the URL (“mybank.com” instead of “mybank.verify-id.net”, HTTPs at the beginning, padlock sign, etc.) before proceeding.
Treat email QR codes like suspicious links.
If an email attachment or embedded image asks you to scan a QR “to update MFA,” “view a document,” or “verify your account,” do not engage immediately. Instead, go directly to the service (Microsoft 365, bank, HR portal) via your browser or official app, and check if there is actually any action pending on your account. If your company has IT/security, forward such suspicious messages to them.

If you think that you have been quished:

For payment/card issues: block the card, and dispute fraudulent charges with your bank immediately
For login/credentials: change passwords on affected accounts, enable 2FA, and review account activity
For work accounts: inform IT/security right away so they can reset access and check logs

Quishing: Using QR Codes For Cybercrime

The Rise of Quishing: From a Niche Trick to a Mainstream Threat

Quishing in Action

Tips to Tackle Quishing

Wrapping Up: Scan With Your Brain, Not Just Your Camera

Loading

Quishing: Using QR Codes For Cybercrime

The Rise of Quishing: From a Niche Trick to a Mainstream Threat

Quishing in Action

Tips to Tackle Quishing

Wrapping Up: Scan With Your Brain, Not Just Your Camera