GuideNacho G.8 min read

QR Code Phishing (Quishing): How to Stay Safe

QR code phishing, quishing, grew 400% since 2023. Learn how attackers use fake QR codes, how to spot them, and how to protect yourself. No jargon.

QR Code Phishing (Quishing): How to Stay Safe

This article was written by the QR Nova team. We build QR code software, which may inform our perspective.

Most security guides about QR code phishing either bury the practical advice under pages of definitions, or hand you a checklist so generic it could apply to anything digital. Meanwhile, quishing attacks grew 400% between 2023 and 2025 and now account for 12% of all phishing. Here's what actually works. QR code phishing, called quishing, exploits one simple fact: the destination URL inside a QR code is invisible until you scan it. Attackers use this blind spot to bypass email filters, redirect you to credential-harvesting pages, and push fraudulent payments. The defense is equally simple: never open the destination before verifying it.

TL;DR

  • Quishing = QR code phishing. The URL is hidden inside the code, you can't see where it goes before scanning.
  • Attacks grew 400% from 2023 to 2025; QR codes now represent 12% of all phishing attempts (Keepnet Labs, 2026).
  • Biggest attack vectors: stickers placed over legitimate codes, QR codes in email PDFs to bypass spam filters, fake invoice and parking meter codes.
  • Defense: use a scanner that previews the URL, verify the domain before tapping, and treat any unexpected QR code as potentially hostile.

What is QR code phishing (quishing)?

Generate your first QR code — free

Get started

QR code phishing, quishing, is an attack where a malicious QR code redirects the scanner to a fake website, a malware download, or a payment authorization page. The term combines "QR" and "phishing." Unlike a suspicious link in an email that a cautious user might hover over to preview, the URL inside a QR code is completely invisible until you've already pointed your camera at it and your phone has followed the redirect.

The attack surface is broader than most people realize. Understanding how QR codes can be hacked starts here: a QR code can encode any URL, the code itself carries no indicator of intent. It's just a matrix of black and white squares. A code printed on a restaurant table, stuck on a parking meter, or attached to an official-looking invoice email is indistinguishable from a malicious one without reading its encoded content first.

This is what makes quishing structurally different from traditional email phishing. Email security gateways have spent years learning to detect malicious links. A QR code in a PDF attachment bypasses that entire layer, the security gateway sees an image, not a URL, and passes it through. As of early 2026, this gap is one of the primary reasons quishing has scaled so fast.

How bad is it? the data on quishing in 2026

QR code phishing attacks increased 400% between 2023 and 2025, according to analysis by Keepnet Labs. Between August and November 2025 alone, quishing incidents grew 5×, jumping from roughly 46,000 to 250,000 documented cases per month. By early 2026, QR codes account for roughly 12% of all phishing attacks, with 68% of these attacks targeting mobile users, the primary QR code scanning device.

ZenSec's 2025 threat intelligence report identified 1.7 million unique malicious QR codes in email attachments across the year. Microsoft's Digital Defense Report flagged more than 15,000 daily QR-code-bearing phishing emails targeting the education sector. These numbers are almost certainly undercounts, QR codes in physical environments (stickers, printed materials) generate no server-side data and are rarely formally reported.

The brands most targeted by quishing campaigns in 2025 were Mastercard (14,233 documented malicious codes) and Microsoft (11,796), per Keepnet data. Financial services and cloud identity providers are the prime targets because credential theft from these platforms yields the highest downstream value.

How attackers use fake QR codes

Quishing attacks take several distinct forms, each suited to different environments and targets. Understanding the mechanics helps you recognize them in the wild.

The sticker-over-sticker attack

The most physically dangerous quishing method: a criminal prints a QR code sticker and places it over a legitimate code on a parking meter, a restaurant table card, a poster, or a building entrance sign. The victim sees the legitimate surrounding context, the official-looking sign, the familiar restaurant environment, and trusts the code by association.

In 2022 and 2023, the City of Austin, Texas reported dozens of compromised parking meters where quishing stickers covered legitimate payment codes. Drivers who scanned the fake codes were redirected to a payment page that collected credit card details but never processed a parking payment. The stickers were visually indistinguishable from the originals at a glance.

QR codes in email attachments (seg bypass)

Secure Email Gateways (SEGs) scan for malicious links in email bodies and attachments. A QR code embedded in a PDF image bypasses this scanning entirely, the gateway processes a JPEG or PNG, not a URL. The attacker sends a fake invoice, HR policy update, or package notification containing a QR code. The recipient, told to "scan the code to confirm receipt," scans it on their phone, which is outside the corporate security perimeter, and lands on a credential-harvesting page.

This technique is why QR code phishing accelerated through enterprise environments. The Acronis Cybersecurity Report for 2026 identified QR code phishing as a top-tier evasion technique specifically because it routes attacks through personal mobile devices that bypass corporate endpoint detection.

Fake WiFi, event, and retail codes

QR codes in public spaces, hotel lobbies for WiFi access, event venues for check-in, retail stores for loyalty programs, attract people who are distracted, in motion, and expecting to scan something. An attacker who posts a fake "Free WiFi" QR code in a coffee shop or airport lounge can harvest credentials from dozens of users per day. No elaborate setup required.

Impersonation of government and utility services

Quishing campaigns increasingly impersonate government services: tax refund QR codes (HMRC in the UK, IRS in the US), utility bills with QR payment codes, vehicle registration notices. These work because the average person has low baseline skepticism about official-looking printed mail.

Why 73% of users scan without checking

Research from KnowBe4 and NordVPN found that 73% of users scan QR codes without verifying where the link goes. This isn't a failure of intelligence, it's a failure of friction. Traditional phishing defense relies on making users pause and evaluate. QR codes collapse that pause: the physical act of pointing a camera and the digital act of following a link happen in under two seconds, with no visible URL to inspect.

Mobile browsers compound this. On a desktop, a suspicious URL is immediately visible in large text. On a mobile browser, the address bar is small, often truncated, and most users never look at it, they're focused on the page content that loaded. A convincing fake login page doesn't need a perfect URL if users never check it.

The deeper problem is physical trust. A QR code printed in a menu, on official signage, or inside a building that requires entry feels categorically different from a link in an unsolicited email. The physical world has been trusted for centuries. Attackers are exploiting that trust directly.

How to recognize a malicious QR code

There is no visual way to distinguish a legitimate QR code from a malicious one by looking at the pattern. Quishing defense is procedural, not visual. These are the specific signals worth checking:

Check for stickers

Before scanning any QR code on a physical surface, especially payment terminals, parking meters, or public signage, look for signs that a sticker has been placed over the original code. Slight misalignment, bubbling edges, a different paper texture, or a sticker outline around the code are all indicators. On a restaurant table, check that every table has matching codes in matching positions, a sticker attack is usually inconsistent across a room.

Preview the URL before opening

Use a QR scanner that shows you the destination URL before opening it. Our guide on how to scan a QR code covers the safest scanning practices in detail. iOS 16+ native camera does this: it shows a small URL preview at the bottom of the screen when you hold your camera over a QR code, before tapping. Most dedicated QR scanner apps (not the built-in camera shortcut) show the URL for review. Make it a habit to read it before tapping.

Verify the domain exactly

Quishing pages use look-alike domains: paypa1.com, microsott.com, amazon-security.net. Check that the domain matches the organization exactly. Subdomains are a common trick, "paypal.com.security-check.net" looks legitimate to a quick reader but the actual domain is "security-check.net," not paypal.com. The domain is everything to the right of the last slash before the first path segment.

Treat unexpected QR codes as hostile by default

Any QR code that arrived unsolicited, in an email you didn't request, on a piece of mail you weren't expecting, on a sign that appeared recently, deserves the same skepticism as a cold call asking for your bank details. Legitimate services almost never need you to scan a QR code when they can send a hyperlink. When they do use QR codes (boarding passes, event tickets, 2FA setup), it's in a context you initiated.

The specific failure cases that generic guides miss

Most quishing guides cover obvious scenarios. These are the failure modes they skip:

Quishing in PDF invoices (B2B vulnerability)

Finance teams process dozens of vendor invoices per day. A PDF invoice containing a QR code labeled "scan to confirm receipt" arrives from a sender that looks like an established vendor, name spoofing is trivial. The finance team member scans it to process the document quickly, without suspecting a QR code on an invoice is unusual. This attack vector has spiked in B2B environments because invoice-related emails are high-volume and treated as routine.

Quishing at physical events

Conference check-in kiosks, event wristband stations, and tradeshow badge scanners increasingly use QR codes. An attacker who prints and posts a fake event check-in QR code near the legitimate station captures attendee credentials and potentially corporate badge data. Physical events are low-security environments, staff is focused on throughput, not verification.

Internal it impersonation

An internal phishing campaign impersonating the IT helpdesk sending a "required security update" QR code for multi-factor authentication setup is particularly effective. Employees are conditioned to comply with IT requests. A QR code framed as "mandatory, scan to enroll your new device" bypasses the skepticism users might apply to external emails.

How to protect your organization

Individual vigilance matters, but organizational defenses are more reliable. The practical controls that reduce quishing exposure:

  • Configure SEG to flag QR codes in attachments: Modern email security platforms including Proofpoint, Mimecast, and Microsoft Defender now offer QR code content extraction. Enabling this means the embedded URL is analyzed rather than the image being passed through unchecked.
  • Deploy mobile threat detection (MTD): MTD solutions can inspect URLs at the moment of opening on a mobile device, providing a second check after the QR code is scanned.
  • Train staff on the sticker attack pattern specifically: Generic phishing training that skips physical QR code attacks misses the most common delivery vector.
  • Disable automatic URL opening in QR scanner settings: On both iOS and Android, QR scanning can be configured to preview the URL rather than open it immediately. This one setting adds the critical pause that most users otherwise skip.
  • For physical locations: laminate your QR codes: A laminated code is harder to sticker over. For payment codes, periodically verify the code by scanning it yourself and confirming the destination.

When to use QR codes safely — and when not to

QR codes are not inherently dangerous, they're a neutral encoding format. For a broader look at whether QR codes are safe, see our full safety guide. The risk is context-dependent. Here's when QR codes are safe to create and distribute without adding risk to your audience:

  • Static codes pointing to known, permanent destinations: A URL QR code you create yourself, pointing to your own domain, is as safe as any link on your website. The risk of static codes is almost entirely on the receiving end (verifying the physical code hasn't been tampered with).
  • On-site WiFi access: A WiFi QR code generated on your own premises for guests connects them to your network, nothing more. There is no redirect layer and no URL to spoof.
  • Event tickets and boarding passes you initiated: QR codes you requested (airline app, ticketing platform) are legitimate by definition because you triggered their generation.

The category that adds risk: dynamic QR codes managed by third-party platforms. If a platform is compromised, if the short URL gets hijacked, or if a vendor's domain lapses and is re-registered by an attacker, a previously legitimate dynamic code can become malicious without the code owner doing anything wrong. For high-stakes use cases, financial transactions, authentication, healthcare, static codes that point directly to your own domain reduce this attack surface meaningfully.

How QR nova approaches code safety

The trust problem in QR codes runs deeper than phishing. It includes who controls the destination and what happens when that control changes. QR Nova's static codes encode the URL directly, there is no redirect layer and no platform server in the chain. If you create a QR code pointing to your own website, the code points to your website. Permanently. No account required, nothing to renew, no third-party server that could be compromised or allowed to lapse.

For users concerned about the safety of QR codes they receive, the same principle applies: a code pointing directly to a domain you recognize, not through a short URL redirect, is safer by design. Create a direct-link QR code free at QR Nova, no sign-up required, and give your audience a code they can verify on sight.

Quishing is an exploitable gap precisely because most QR codes use redirect layers, short URLs that obscure the final destination. Reducing dependency on redirect-based dynamic codes, where the destination is not visible until the final server response, closes one of the primary vectors attackers rely on.

Frequently asked questions

What is quishing?

Quishing is QR code phishing, an attack where a malicious QR code redirects you to a fake website designed to steal your credentials, install malware, or authorize a fraudulent payment. The term combines 'QR' and 'phishing.' Unlike email links, the destination URL is hidden inside the QR code pattern and invisible until you scan it.

How common is QR code phishing in 2026?

QR code phishing attacks increased 400% between 2023 and 2025, and quishing incidents grew 5× between August and November 2025 alone, from 46,000 to 250,000 cases per month. As of early 2026, QR codes account for roughly 12% of all phishing attacks, according to data compiled by Keepnet Labs.

Can my phone's camera get hacked by scanning a QR code?

Scanning a QR code with your camera does not execute code on your device. The risk comes from the URL the code sends you to: a phishing page that tricks you into entering credentials, a site that exploits a browser vulnerability, or a payment request. Your camera itself is safe, your browser is the attack surface.

How do I verify a QR code before scanning it?

Use a QR code scanner app that shows you the destination URL before opening it, most dedicated scanner apps do this, as does iOS 16+ native camera. Check that the URL domain matches the expected organization exactly (attackers often use look-alike domains like 'paypa1.com' instead of 'paypal.com'). If a QR code appears on a poster or in a public space and its URL looks unfamiliar, don't scan it.

What should I do if I scanned a malicious QR code?

If you scanned a suspicious code but didn't enter any information: close the browser tab immediately. If you entered credentials: change the password for that account immediately and enable two-factor authentication. If you authorized a payment: contact your bank or payment provider. If you installed an app: remove it and run a security scan. Report the incident to your IT team if you're on a work device.

Are QR codes in emails safe to scan?

QR codes in emails are a major attack vector, 1.7 million unique malicious QR codes were detected in email attachments alone in 2025. Treat QR codes in unsolicited or unexpected emails with the same suspicion you'd treat a link from an unknown sender. Legitimate companies rarely need to send a QR code via email when they can just send a hyperlink.

How do criminals use QR code phishing?

Common quishing methods include: placing a fake QR code sticker over a legitimate code on a parking meter or restaurant table; embedding malicious QR codes in PDF attachments to bypass email link filters; sending fake invoice or package notification emails with QR codes; and physically replacing event check-in codes. The sticker-over-sticker attack is particularly hard to detect because the surrounding context (the legitimate sign or table) adds trust.

Generate your first QR code — free

Get started