Remember when QR codes were a quirky novelty? We’d scan them to visit a website or get a discount at a store. Fast forward to today, and they’re everywhere! We scan them to view restaurant menus, pay for parking, board a flight, or even log in to our bank accounts. They’re incredibly convenient, but with this convenience comes a brand-new security threat: QR code phishing, or “quishing.”
Cybercriminals have noticed how much we trust these little black and white squares. They’ve realized that a QR code is a perfect way to hide a malicious link, and a scam that was once easy to spot in an email is now being delivered in a format we barely think twice about. Quishing is a growing threat in 2025, and understanding how it works is the first step to staying safe.
What is Quishing and How Does it Work?
Quishing is a simple but effective scam. Phishing, as you know, is when a criminal tries to trick you into giving up personal information by sending you a fake email, text, or message. Quishing is the same idea, but instead of a clickable hyperlink, the malicious link is hidden inside a QR code.
The QR code acts as a digital mystery box. You can’t see the URL it contains just by looking at it. All you see is the code itself. A scammer can create a fake QR code that looks completely legitimate but actually links to a malicious website. They can then deliver this fake QR code in a variety of ways:
- In Phishing Emails: You might get an email from what looks like a trusted company, like your bank or a major online retailer, with a QR code instead of a traditional link. The email might say something like, “Scan this QR code to confirm your account login,” or “Scan for a special discount!”
- Physical Posters: A scammer could print out a fake QR code and stick it over a legitimate one on a poster or a restaurant menu. You might think you’re scanning to see the menu, but you’re actually being redirected to a fake website.
- Fake Invoices or Bills: An invoice with a QR code for “fast payment” could be a scam to get you to enter your credit card information on a fake payment portal.
Once you scan the malicious QR code, your phone’s browser will open the dangerous URL. From there, you could be taken to a fake login page designed to steal your username and password, a website that automatically downloads malware, or a site that tries to trick you into providing personal or financial details.
Your Quishing Defense Strategy: How to Stay Safe in 2025
The good news is that you don’t have to stop using QR codes. They’re too convenient to ignore! You just need to become a smarter, more cautious user. Here’s your personal guide to avoiding quishing scams:
- Don’t Scan Unsolicited Codes: If you get an email or a message with a QR code that you weren’t expecting, be highly suspicious. Instead of scanning it, go directly to the company’s website by typing the URL into your browser manually.
- Verify the Source: Before you scan a QR code on a physical poster or sign, check it carefully. Does the poster look legitimate? Is the QR code a sticker placed on top of another code? If a menu has a QR code, ask a staff member if it’s the correct one. A little bit of in-person verification can go a long way.
- Check the URL Before You Click: Many modern smartphones and QR code scanning apps will show you the URL that the code links to before you navigate to it. Always take a moment to look at this URL preview.
- What to look for: Is the URL exactly what you would expect? Does it use “HTTPS”? Is the domain spelled correctly (e.g.,
www.amazon.cominstead ofwww.amason.com)? If the URL looks suspicious, don’t click it!
- What to look for: Is the URL exactly what you would expect? Does it use “HTTPS”? Is the domain spelled correctly (e.g.,
- Use a Security App: Some mobile security apps can detect malicious URLs even before you visit them, providing an extra layer of protection.
- Be Skeptical of “Urgent” Requests: Scammers often use a sense of urgency to get you to act without thinking. If an email with a QR code is telling you that your account will be locked if you don’t act now, it’s likely a scam.
- Don’t Enter Information on a Scanned Site: If you scan a QR code and it takes you to a page asking for your login credentials or other personal information, be extremely cautious. It’s always safer to navigate to that website on your own by typing in the URL.
QR codes are a great modern tool, but like all technology, they can be weaponized by bad actors. By being mindful of the source and taking a moment to check the URL, you can continue to use them safely and avoid becoming a victim of quishing.
