What Is Quishing? QR Code Phishing Explained
Not sure about a QR code you were sent?
Before you scan or tap, check where a QR code actually leads. Our free safety checker inspects the destination and helps you spot suspicious links so you can decide with more confidence.
Check if a QR code is safe →Quishing is QR code phishing - a fast-growing scam where criminals hide a malicious link inside a QR code instead of a clickable link in an email. When you scan the code with your phone, you land on a convincing fake page built to steal your passwords, card details, or money. This guide explains what quishing is, how a quishing attack works step by step, the real-world examples making headlines in 2025 and 2026, and a practical checklist you can use to protect yourself.
What Does Quishing Mean?
The word "quishing" is a blend of "QR code" and "phishing." It describes any phishing attack that uses a QR code as the delivery method for a malicious link. Traditional phishing puts a fake link in the body of an email or text and hopes you click it. Quishing swaps that clickable link for a QR code image - in an email, a printed flyer, a letter, a parking meter sticker, or a poster - and hopes you scan it with your phone.
The QR code itself is not malicious and does not contain a virus. It is simply an encoded piece of data, almost always a URL. The danger lives entirely in the destination the code points to. That is why the single most important habit in this whole guide is to look at where a code actually leads before you act on it.
Why Do Attackers Use QR Codes?
Quishing has surged because QR codes solve several problems for attackers at once. Understanding their motivation makes the warning signs easier to recognize.
- They bypass email security filters. Many email security tools scan for malicious links and attachments in text. A QR code is just an image, so a link buried inside it can slip past filters that would have flagged the same URL if it were typed out.
- They move you onto a personal phone. Scanning almost always happens on a mobile device, which is often less protected than a managed work computer and where it is harder to inspect a link or hover to see the real address before you commit.
- They hide the real destination. You cannot read a URL by looking at a QR code. The code visually reveals nothing about where it leads, so a fake domain is completely concealed until you scan.
- They feel routine and trustworthy. People are conditioned to scan QR codes on menus, parking meters, packages, and posters without a second thought, which lowers the natural suspicion that a raw link might trigger.
How a Quishing Attack Works, Step by Step
Most quishing attacks follow the same basic playbook, whether they arrive by email or as a sticker on a parking meter:
- The lure. The attacker places a QR code somewhere you are likely to trust it - inside an email that looks like it is from your IT department, on a letter that appears to be from a delivery service, or on a sticker slapped over a genuine code in a public place.
- The hook. A message creates urgency or curiosity: your account will be locked, a package needs redelivery, a toll is unpaid, a document is waiting for your signature. The goal is to get you to scan before you think.
- The scan. You point your phone camera at the code. It resolves to a URL and offers to open it. This step alone is usually harmless - the risk starts on the next screen.
- The fake page. You land on a page that closely imitates a real login screen, payment form, or app store listing. It may use a look-alike domain or a shortened link to disguise the real address.
- The theft. When you enter your username and password, card number, or bank details - or pay a small "fee" - that information goes straight to the attacker. In some variants the page pushes you to install a malicious app instead.
Want a QR code you actually control?
When you create your own QR codes, you decide exactly where they point. With a dynamic code you can edit the destination, see how many times it has been scanned, and revoke a bad link instantly - none of which is possible with a random code you find in the wild.
Create your own QR code →Real Quishing Examples (2025-2026)
Quishing is not theoretical. Here are the forms it has taken most often in recent reports and public warnings. The specifics vary by region, but the pattern is consistent.
Fake stickers on parking meters
One of the most widely reported schemes involves criminals placing counterfeit QR code stickers on public parking meters and pay stations. Drivers scan the sticker expecting to pay for parking and are sent to a look-alike payment page that harvests their card details. Cities in several countries have warned residents to be wary of QR codes stuck onto meters, since many genuine meters do not use QR payment at all.
Fake USPS and package-redelivery messages
A common wave of quishing arrives as texts or letters claiming to be from a postal or courier service. The message says a package could not be delivered and asks you to scan a QR code or tap a link to schedule redelivery or pay a small fee. The page then requests personal and payment information. The U.S. Postal Service and consumer protection agencies have publicly warned about these fake delivery notices.
Toll and traffic-violation text scams
Another prolific variant claims you owe an unpaid road toll or have an outstanding traffic violation, and pressures you to settle it immediately through a QR code or link to avoid penalties. The urgency and the small dollar amount are designed to make paying feel easier than questioning it. The FTC and FBI have flagged unpaid-toll text scams as a large and growing category.
Fake conference and meeting invitations
The FBI has documented quishing campaigns aimed at professionals through fake conference or event invitations. An email invites you to register or view an agenda by scanning a QR code, which leads to a credential-harvesting page mimicking a corporate or event login. Because the code arrives in a business context, it can feel routine.
Swapped QR codes on restaurant tables
With QR menus now normal, attackers have covered legitimate table codes with their own stickers. Diners scan expecting a menu or a way to pay the bill and instead reach a page that asks for card details or a bogus login. This is a classic example of tampering: the physical code was genuine until someone stuck a fake one over it.
Why Quishing Is Surging
Security researchers reported that QR-code phishing rose sharply through 2025, with some measuring roughly a fivefold increase over the prior year. QR codes are now estimated to make up somewhere in the region of 10-12% of phishing payloads, up from a niche technique just a couple of years earlier. Exact figures vary between vendors and methodologies, so treat them as directional rather than precise - but the direction is unmistakably upward.
The trend has been serious enough to prompt public warnings from major authorities. The FBI and its Internet Crime Complaint Center (IC3), the U.S. Postal Service, and the Federal Trade Commission have all issued alerts about malicious QR codes, tampered stickers, and fake delivery, toll, and event messages. When multiple national agencies warn about the same tactic, it is a strong signal that everyday users are being targeted, not just large enterprises.
How to Protect Yourself From Quishing
No single trick makes scanning completely safe, but a short set of habits dramatically reduces your risk and helps you catch the vast majority of quishing attempts before any harm is done.
Your quishing safety checklist
- Preview the URL before you open it. Most phone cameras show the destination as a banner. Read it, and make sure the domain is one you actually recognize before tapping.
- Inspect physical codes for tampering. Check for a sticker placed over another code, a code that looks added on, or one in an odd location. A code on top of a code is a major red flag.
- Be wary of urgency and payment demands. "Pay now or lose access," "unpaid toll," and "package on hold" are pressure tactics. Legitimate organizations rarely force you to resolve something instantly through a scanned code.
- Never enter credentials from a QR-linked page. If a scanned page asks you to log in, stop. Open your browser and navigate to the real site yourself instead of trusting the link.
- Verify the domain carefully. Watch for misspellings, extra words, and unusual endings in the address. Shortened links hide the real destination, so treat them with extra caution.
- Confirm through an official channel. If a message claims to be from your bank, the post office, or your employer, contact them through a number or website you already trust - not the one in the message.
- Use a QR safety checker for anything suspicious. When a code feels off, paste the link into a safety checker that inspects the destination. It helps you spot known-bad and suspicious links, though no checker can catch everything.
- Keep your phone and apps updated. Software updates close the vulnerabilities that a malicious page might try to exploit, and never install an app just because a scanned page told you to.
For a deeper look at the wider threat landscape, see our guides on whether QR codes are safe and the most common QR code scams to watch for. If you run a business and worry about someone hijacking an old code, understanding whether QR codes expire and using permanent QR codes you control closes a gap attackers can otherwise exploit.
Check a code before you trust it
Got a QR code in an email, a letter, or on a sticker and something feels off? Run the link through our free checker to see where it really goes and reduce your chance of falling for a quishing page.
Check if a QR code is safe →What To Do If You Think You Have Been Quished
If you entered information on a page you reached from a suspicious QR code, act quickly to limit the damage:
- Change your password immediately for any account whose credentials you entered, and turn on two-factor authentication if it is not already active.
- Contact your bank or card issuer if you entered payment details, so they can watch for or block fraudulent charges and reissue the card if needed.
- Uninstall anything you were prompted to download from the page, and run a security scan on your device.
- Report it. Notify your bank, your employer's IT team if it was a work-related lure, and the relevant authority such as the FBI's IC3 or the FTC, which helps them track and warn others.
The Bottom Line
QR codes are a convenient technology, and the vast majority you encounter are perfectly legitimate. Quishing works by exploiting the one weakness built into every QR code: you cannot see where it leads just by looking at it. Build the habit of previewing the destination, staying skeptical of urgency and payment demands, and never entering credentials on a page you reached from a scan. Do that, and you neutralize almost every quishing attempt long before it can cost you anything.
Frequently Asked Questions
Is it safe to scan QR codes?
Scanning most QR codes from a source you trust is generally fine, but the code is only as safe as where it leads. The real risk is a code that points to a malicious website, or a legitimate code that has been covered with a sticker. Preview the destination URL before you open it, avoid entering passwords or payment details on a page you reached from a scan, and be cautious with codes in public places.
What is quishing?
Quishing is QR code phishing - a scam where attackers hide a malicious link inside a QR code instead of a clickable link in an email or text. When you scan it, you land on a fake page designed to steal your credentials, card details, or money. Attackers favor QR codes because the code hides the real URL, often bypasses email security filters, and moves the victim onto a personal phone where links are harder to inspect.
How do I know if a QR code is safe?
There is no way to be 100% certain, but you can reduce the risk. Check a physical code for stickers or tampering, use your camera app to preview the URL before opening it, and confirm the domain matches the organization you expect. Be suspicious of shortened or misspelled links, urgent payment demands, and any page that immediately asks for a login or card number. When in doubt, do not proceed and reach the business through its official website instead.
What happens if I scan a malicious QR code?
Simply scanning a malicious QR code usually just opens a link - the danger comes from what you do next. A quishing page may try to trick you into entering your username and password, filling in card or bank details, paying a fake fee, or downloading a malicious app. If you only previewed the URL and did not visit or interact with it, you are typically fine. Harm generally requires you to take an action on the page it points to.
Can a QR code give my phone a virus?
A QR code cannot hold or run a virus on its own - it only stores data such as a URL. It cannot infect your phone just by being scanned. Malware only becomes a risk if the linked page convinces you to download and install a malicious app or file, or exploits an unpatched vulnerability. Keeping your phone and apps updated and not installing apps from links you did not seek out keeps this risk low.
How do I check if a QR code is safe before scanning?
Most phone cameras show the destination URL as a preview banner before opening it, so read that link first and make sure the domain is one you recognize. For an extra layer, you can paste a suspicious link into a QR code safety checker that inspects the destination and flags known-bad or suspicious characteristics. These tools reduce risk and help you spot obvious threats, but treat them as one signal among several rather than a guarantee.
Stay a step ahead of quishing
Check suspicious QR codes before you trust them, or create your own codes you fully control - edit the destination, track scans, and revoke a bad link anytime.
Related Pages
Are QR Codes Safe?
A clear look at the real risks of scanning QR codes and how to stay safe.
Common QR Code Scams
The most common QR code scams in circulation and the warning signs to watch for.
QR Code Safety Checker
Check where a QR code leads and spot suspicious links before you scan.