How-To 2026-02-25 5 min By Cornelious Fazal
Generate a Safe Static QR Code Free · No signup · Permanent

QR Code Scams Explained: What Is Quishing and How to Protect Yourself in 2025

Quick Answer

Quishing (QR phishing) is one of the fastest-growing cybersecurity threats of 2025. Learn what it is, how attackers use fake QR codes, 8 warning signs to check.

What Is Quishing?

Quishing is the combination of QR code and phishing - a cyberattack method where criminals create or modify QR codes to redirect victims to fraudulent websites, initiate malware downloads, or steal personal and financial information.

The US Postal Inspection Service (USPIS), the FBI, and the UK's National Cyber Security Centre (NCSC) have all issued official warnings about quishing, which became one of the top-reported cyber threats in both 2023 and 2024. The FBI's 2024 Internet Crime Report recorded a significant increase in QR code-related fraud complaints.

The reason quishing is effective: QR codes are visually opaque. Unlike a suspicious URL in an email (where you can see "amaz0n-login.com" before clicking), a QR code shows nothing about its destination until the code is scanned. Victims must scan first, see the URL second - and by then, many have already followed the pre-set redirect.

How Quishing Attacks Work

Physical Tampering - Sticker-Over-Legitimate-Code Attacks

The most reported form of quishing in the UK and US involves placing a printed sticker containing a malicious QR code over a legitimate one. Documented locations include:

  • Parking meters and pay stations
  • Restaurant table QR menu codes
  • Bike and scooter rental stands
  • NHS and council public information notices
  • Church donation codes
  • Retail store-front payment codes

The attacker accesses the location out of hours, applies the sticker, and waits - victims assume the code is legitimate because it is in a legitimate location. The malicious code typically leads to a convincing fake payment page or login form.

Email and SMS Quishing

Attackers embed QR codes in phishing emails because QR codes bypass standard email security scanners: the scanner sees an image attachment, not a URL. The email claims the recipient must scan the code to verify their account, unblock a delivery, or avoid a security issue. This message typically creates urgency: "Your account will be suspended in 24 hours."

In 2025, researchers at Cisco Talos documented a new technique: QR codes constructed from ASCII/Unicode characters rather than image data, making them even harder for email security systems to detect.

8 Warning Signs: How to Spot a Malicious QR Code

  1. It's on a sticker placed over the original printed surface - look for raised edges, misalignment, or a different printing quality below the sticker.
  2. It appears unexpectedly - a QR code in an unsolicited email, text message, or postal mail requesting urgent action is very high risk.
  3. The URL preview looks wrong - your phone shows the URL before you follow it. If the domain name is misspelled (pa1pal.com, amaz0n-payments.co), close immediately.
  4. The URL is a shortened link - bit.ly, tinyurl.com, and similar short URLs hide the real destination. Be especially cautious.
  5. The context doesn't match - a QR code claiming to be for a Royal Mail parcel, but the context makes no sense (you're not expecting a delivery).
  6. The landing page asks for payment card details immediately - legitimate services rarely ask for card details on the first page after a QR scan, without account verification.
  7. The landing page asks you to download an app or file - unprompted downloads after scanning are a major malware vector.
  8. Error message followed by a redirect - a decoy "page not found" screen that then redirects you elsewhere is a known quishing technique to confuse the sequence of events.

How to Stay Safe: Before You Scan

  • Preview the URL - all modern iPhone and Android camera apps show the destination URL before opening it. Read it before tapping.
  • Go directly instead of scanning - if a QR code supposedly links to your bank, your energy provider, or a government service, go to their official website directly rather than scanning.
  • Check physical codes for tampering - run your finger over the code. A sticker sits proud of the surface; the original print flush with it.
  • Never enter payment details or passwords via a QR-initiated page without independently verifying the service is legitimate from a browser search.

What to Do If You Have Scanned a Suspicious QR Code

  1. Do not enter any information - if the page loads and asks for login credentials, payment details, or personal information, close it immediately without entering anything.
  2. Disconnect from Wi-Fi and mobile data immediately - this stops further communication if malware was initiated.
  3. Run a mobile security scan - Malwarebytes, Norton Mobile, or your phone manufacturer's built-in security scan.
  4. Change passwords - if you entered any credentials, change them immediately across all accounts that share that password, prioritising banking and email.
  5. Report it - UK: Action Fraud (actionfraud.police.uk); US: FBI IC3 (ic3.gov); USPS: postalinspectors.uspis.gov. If the code was on a public surface, photograph it and report it to the business whose premises it appeared on.

A Note on Our QR Codes

All QR codes created with our Free QR Code Generator are static SVG/PNG files that contain exactly the URL or data you specify. We do not add redirects, tracking pixels embedded in the code pattern, or destination obfuscation. You can decode any code you create with us using any QR decoder tool and verify it contains exactly what you intended.

Frequently Asked Questions

The vast majority of QR codes in restaurants and retail environments are legitimate. The risk exists but is relatively low in contexts where the QR code is printed directly on official signage, menus, or branded materials - not applied as a sticker over an existing surface. Red flags in hospitality: a QR code on a separate small card that could have been placed by anyone; a code on a sticker that appears to be placed over an original printed code; a code whose URL preview shows an unfamiliar domain rather than the business's own domain. When in doubt, ask a staff member for the URL directly.

Scanning a QR code itself does not install malware - the scan reads the encoded data (typically a URL) and your phone displays a preview. The risk occurs when you follow the link and the destination website: (1) downloads a file to your device without your awareness (drive-by download), (2) tricks you into downloading a disguised malware package, or (3) harvests credentials you voluntarily enter on a fake login page. Modern browsers on both iOS and Android have some protection against drive-by downloads, but keeping your OS and browser up to date is the single most effective prevention measure.

Traditional phishing uses fraudulent links embedded in emails, texts, or websites to trick users into visiting malicious sites - the link is visible and can be inspected before clicking. Quishing uses QR codes to deliver the same fraudulent link, but the destination is hidden from view until after the code is scanned. Quishing is specifically effective at bypassing email security filters that scan text and URLs but do not decode QR code images embedded in email attachments or images. As email security has become more sophisticated at blocking text-based phishing links, attackers have shifted to QR codes as a delivery mechanism that evades detection.

Some third-party QR scanner apps (Kaspersky QR Scanner, Malwarebytes Privacy Scanner) include URL reputation checking that compares scanned URLs against known malware and phishing databases before loading. This adds a layer of protection beyond the native camera app. However, the native camera app on a fully updated iPhone or Android provides a URL preview before loading - the key safety step - without requiring a third-party app. A dedicated security scanner app is a useful additional layer, not a replacement for the habit of previewing URLs. Avoid downloading a QR scanner app recommended by a QR code you just scanned - that is itself a quishing technique.
Back to Knowledge Hub