Quishing: QR Code Phishing

Quishing is the use of fraudulent QR codes in order to plant malware on your device and get access to personal data.

Uncover the dangers of QR phishing (Quishing): Learn to identify and prevent it, ensuring your digital safety and privacy.

Free Antivirus

What is quishing?

QR phishing, also known as ‘quishing,’ is a cybercrime that exploits the popularity of QR codes. In this scam, cybercriminals create malicious QR codes that, when scanned, lead to fraudulent websites or prompt downloads of harmful software. As people increasingly use QR codes for various purposes, such as accessing menus or making payments, they may unknowingly scan these deceptive codes, putting their personal information at risk.

This behavior was highlighted during the 2022 Super Bowl when Coinbase’s innovative QR code advertisement led to a significant increase in app downloads. However, it also raised concerns in the cybersecurity community, especially in light of recent Crypto QR scams where scammers used QR codes to manipulate victims into withdrawing money from their accounts.

The term “quishing” combines QR codes and phishing, indicating a method where malicious actors create fake QR codes to direct users to spoofed sites, steal information, or install malware on their devices. The goal is to deceive individuals into believing they are interacting with a harmless or necessary QR code, while the true intent is to access and steal personal and financial information.

What is a QR code?

QR codes, or Quick Response codes, are two-dimensional barcodes that can store a large amount of data and be read quickly by smartphones or barcode scanners. Originally invented by a Japanese automobile manufacturer in 1994 to improve efficiency in manufacturing, QR codes have seen a surge in use in recent years.

They became particularly popular during the pandemic as a way to maintain business continuity while adhering to social distancing rules. As a result, consumers have become more accustomed to scanning QR codes, with studies predicting that more than 100 million users in the US will use their phones to scan QR codes by 2025.

The versatility of QR codes, which can be scanned from both screens and paper, has led to their widespread adoption across various industries, including payment processing, marketing, and advertising. Today, QR codes are commonly found in public spaces like billboards and restaurants, as well as in digital communications such as text messages, social media, and emails.

Static vs dynamic QR codes

QR codes can be categorized into two main types based on their data flexibility: static and dynamic.

Static QR codes are fixed and cannot be altered once created. They are commonly used for sharing static information like a website URL, contact details, or a Wi-Fi password.

Dynamic QR codes, in contrast, are more flexible as the information they encode can be updated or changed without changing the code’s appearance. They contain a unique URL that directs users to a server where the information is stored. This adaptability makes them ideal for situations where the content needs frequent updates, such as event information, promotional offers, or real-time inventory tracking. However, this same flexibility also poses a security risk, as scammers can exploit dynamic QR codes by altering their source to redirect users to malicious sites.

What is phishing?

Phishing is a widely used method by cybercriminals to access valuable data through social engineering attacks, primarily via emails. A typical phishing email contains a link or attachment, enticing the user to click or download it, with the aim of stealing sensitive information like financial details or company login credentials.

However, as attackers continuously seek more effective techniques, new phishing tactics have emerged, including vishing (voice phishing), smishing (SMS phishing), and quishing (QR phishing). These variations exploit different communication channels to carry out similar deceptive practices, with quishing specifically leveraging the popularity and convenience of QR codes to trick users into revealing their personal information.

How does quishing work?

Quishing is a type of phishing attack that utilizes QR codes to deceive individuals into visiting harmful websites or downloading files containing malware. QR codes can host various sources, such as links, documents, and payment portals, making them a versatile tool for cybercriminals. These codes can be manipulated to contain malicious links, virus-laden documents, or fake payment portals. Since the content behind a QR code is not visible when it is displayed as an image, it provides an ideal means for scammers to evade security measures by embedding them in emails.

A quishing attack typically starts with a cybercriminal creating QR codes that redirect to a fraudulent login page to harvest victims’ credentials or to a site that automatically downloads malware upon scanning. These malicious QR codes can be inserted into emails as images or attachments, or they can be placed in public areas where people are likely to scan them. Once the QR code is scanned, victims may be prompted to enter sensitive information such as login details or banking information, or they might unwittingly download harmful software or apps. In some cases, the download of malicious content can occur automatically right after the code is scanned, further compromising the victim’s device.

Understanding QRLJacking: A case study in quishing

QRLJacking is a sophisticated form of quishing that specifically targets Quick Response Login (QRL) systems. QRL is a user-friendly authentication method that allows users to log into websites, applications, or digital services by scanning a QR code with their smartphone. This method eliminates the need to remember complex passwords, offering a convenient alternative for users.

However, this convenience also introduces a vulnerability that cybercriminals have learned to exploit. In a QRLJacking attack, hackers initiate a session on the targeted website or app and clone the legitimate QR code. They then manipulate the cloned code by redirecting it to their own server and embed it in a fake login page that mimics the original. The malicious QR code is distributed through emails or other channels, tricking users into scanning it to log in.

The danger of QRLJacking becomes apparent when multi-factor authentication is not activated. As soon as the victim scans the manipulated QR code, the attacker gains immediate access to the victim’s account. A notable example of this attack occurred with ING Bank, whose app allowed customers to log into a second device by scanning a QR code. Cybercriminals exploited this feature, tampering with legitimate QR codes within the app. Unwitting users who fell victim to the scam discovered that significant amounts of money had vanished from their accounts.

How can you detect a quishing attack?

Detecting a quishing attack can be challenging due to the inherent nature of QR codes, which conceal their contents until scanned. Unlike traditional phishing attacks, quishing emails contain QR codes as plain images or within attachments with non-suspicious extensions, allowing them to bypass malware detectors and email filters. This means they can evade detection and not be relegated to the spam folder, leaving individuals vulnerable to social engineering tactics.

The allure of QR codes for scammers lies in their ability to pique curiosity and exploit emotions such as fear and urgency. These emotional triggers can lead unsuspecting victims to scan malicious QR codes intended for fraudulent activities, such as paying fake bills or fines. The convenience and speed of QR codes are exploited to facilitate these scams.

To protect yourself from QR code fraud, it’s important to be vigilant and look for certain signs before scanning a QR code:

  • Unexpected or unsolicited QR codes: Be cautious of QR codes that appear in unsolicited emails or messages, especially if they prompt you to take immediate action.
  • Lack of context or explanation: Legitimate QR codes are usually accompanied by clear explanations of their purpose. Be wary of codes that lack context or a credible source.
  • Suspicious sender: Check the sender’s email address or contact information for any signs of illegitimacy, such as misspellings or unusual domain names.
  • Urgency or pressure: Scammers often create a sense of urgency to prompt quick action. Be skeptical of messages that pressure you to scan a QR code immediately.
  • Verify the source: If possible, verify the legitimacy of the QR code by contacting the supposed sender through official channels.
  • Use a secure QR code scanner: Some QR code scanner apps offer security features that check the safety of the link before opening it. Consider using such an app to add an extra layer of protection.

By being aware of these signs and exercising caution, you can reduce the risk of falling victim to a quishing attack and protect your sensitive information from being compromised.

This is how you can protect yourself against quishing

To safeguard against quishing attacks, it is important to combine general phishing prevention strategies with measures specifically tailored to the unique challenges posed by QR codes:

  1. Verify the QR source: Exercise caution when scanning QR codes, particularly from unknown sources or those promising too-good-to-be-true offers. If the code comes from a seemingly official source, a friend, or a colleague, verify its authenticity directly with them or visit their official website.
  2. Use a reliable QR code reader: While most smartphones have built-in QR scanning capabilities, if you opt for a third-party app, ensure it’s reputable. Be wary of fraudulent updates for QR scanning apps, as they have been known to distribute malware in the past.
  3. Preview the destination URL: If your scanning app allows, preview the link to which the QR code directs you before accessing it. This precaution helps protect against QR codes that automatically download malware upon scanning.
  4. Be cautious with personal information: After scanning a QR code, be vigilant when prompted to enter personal information on a linked page. Double-check the logo and full URL of the site, and if possible, manually type the original URL into your browser instead of using the link provided by the QR code.
  5. Enable two-factor authentication: Adding this extra layer of security can prevent unauthorized access to your accounts, even if a cybercriminal obtains your credentials. Be cautious about accepting authentication notifications on your phone unless you’ve initiated an account access attempt.
  6. Stay informed with security awareness training: Regularly updating your knowledge of cybercriminal tactics and how to respond to potential attacks can keep you ahead of threats.

By following these recommendations, you can enhance your defense against quishing attacks and protect your sensitive information from falling into the wrong hands.

What is a QR code?

What is phishing?

What is social engineering?

What is digital footprint?

What is spear phishing?

What is catfishing?

What is phishing email?


QR codes can be used by cybercriminals for malicious actions, like embedding malware in the codes. When scanned, these compromised QR codes can infect devices with various types of malware, including viruses, worms, Trojans, spyware, and adware which can lead to the theft of personal information, unauthorized access to sensitive data or phishing attacks.