QR code scams (quishing): how to spot them
Quishing (QR + phishing) is a scam via QR codes: after scanning, the person is sent to a fake page asking for a login, a payment or offering malware. Protection is simple — treat a QR code like a hidden link: check the address before opening, and open important services yourself via the app.
Quishing (QR + phishing) is a scam that uses a QR code instead of a link. After scanning the code with a phone, the person is redirected to a fake page that asks for login details, a payment or offers a malicious app to download. This form is growing because QR codes have become routine — menus, payments, tickets — and are trusted without much doubt.
Why QR codes suit scammers
- checkThe address is hidden: you cannot tell from the code where it leads.
- checkScanned on a phone: on mobile it is harder to see the real domain, and protection is often weaker than on a computer.
- checkPhysical trust: a code on paper or a poster looks more official than an email.
- checkBypasses filters: a QR code in an email is often an image, so email protection does not check the link.
Where malicious QR codes appear
- checkIn an email with an "invoice" or "delivery confirmation", where a QR code replaces the usual button.
- checkOn physical stickers pasted over a real code — in car parks, on terminals or posters.
- checkIn fake payment requests imitating a bank or institution.
- checkIn promotional flyers or "prize" notices.
How to spot quishing
Since the code itself cannot be previewed, attention shifts to the context and to what happens after scanning.
- checkAn unexpected QR code in an email instead of a normal link or text.
- checkAfter scanning, a page opens asking for login details or a payment.
- checkThe address in the browser does not match the company whose code you are supposedly scanning.
- checkThe QR sticker looks pasted over another, original code.
- checkAn urgent or threatening tone next to the code ("scan now, or else...").
What to do and how to protect yourself
- checkBefore scanning, consider whether the code is in a trusted place and whether you expected it at all.
- checkAfter scanning, look at the address before tapping "open" — many phones show the link.
- checkDo not enter login or card details on a page opened via a QR code.
- checkOpen important services (bank, email) via the app or manually, not through a QR code.
- checkIn physical places, check whether the code is a sticker pasted over another code.
How to prepare your team
Many employees do not yet know that a QR code can be an attack — which makes it an easy target. A short reminder and practical simulations that include QR scenarios quickly raise alertness. Opsinel simulations cover not only email and SMS but QR codes too, so the team learns to spot scams across every channel where they actually happen.
Frequently asked questions
Is it dangerous just to scan a QR code?add
Scanning usually only shows the link. The risk comes from opening it and entering details or downloading a file. So always check the address before continuing.
How can I see where a QR code leads?add
On most phones, scanning a code first shows the link or domain. Read it before tapping — if the address is unfamiliar or odd, do not open it.
Do email filters stop malicious QR codes?add
Often no, because a QR code in an email is an image and the link inside is not checked. So it is important that employees recognise a suspicious QR code themselves.
What is quishing?add
Quishing is a scam via QR codes — the name combines "QR" and "phishing". Instead of a link in an email or on a sticker, a code redirects to a fake page.
Is it safe to scan a QR code in a restaurant or on a poster?add
Usually yes, but check whether the code is a sticker pasted over another one, and look at the address shown before opening. Do not enter details through it.