TheVortiq
Futuro del trabajo

Quishing: The New QR Code Scam That's Already Draining Accounts

Cybercriminals exploit trust in QR codes to steal banking and personal data. Learn to identify the danger signs.

July 16, 2026 · 6 min read

black android smartphone displaying qr code

TL;DR: Quishing is a scam that uses malicious QR codes to steal data. Attackers place fake codes in public places or send them via email. To protect yourself, inspect codes, verify URLs, and don't enter personal data without ensuring site legitimacy.

What is quishing and why is it growing?

Quishing (QR + phishing) is a fraud technique where cybercriminals use malicious QR codes to trick victims. Scanning the code directs the person to a fake page that mimics a legitimate service (online banking, social media, etc.) to steal credentials or install malware. According to ZDNet, this method has proliferated because users trust QR codes without verifying their origin, and attackers can bypass traditional antiphishing filters that analyze links in emails. Quishing is not entirely new; its early variants emerged around 2010 when QR codes became popular in marketing campaigns. However, it was during the COVID-19 pandemic that QR use skyrocketed: restaurants, airlines, and events adopted contactless digital menus and passes, creating an ideal ecosystem for scammers. According to data from cybersecurity firm Check Point, quishing attacks increased by 587% between 2020 and 2023. Moreover, conventional antiphishing filters that analyze text and links in emails cannot detect a QR code embedded in an image, making quishing a particularly stealthy threat.

How do scammers operate?

Attackers place QR codes in busy locations (parking meters, restaurants, billboards) or send them via email pretending to be legitimate entities. Upon scanning, the victim is redirected to a website that requests sensitive data. A common example is a fake parking lot QR code that leads to a fraudulent payment page. ZDNet warns that they can also appear on flyers or emails mimicking courier companies or public services. In some cases, attackers stick QR labels over legitimate codes on parking meters or ATMs, a technique known as “QR sticker swapping.” There have also been reports of emails impersonating a company's HR department, asking to scan a QR to update bank details. Once the victim enters their credentials, attackers can make transfers, access corporate accounts, or install malware like banking trojans. ZDNet highlights that scammers exploit user trust: upon seeing a QR, many assume it's safe because they've used it before in legitimate contexts.

Why is it important now?

QR code use surged during the pandemic and has become normalized in restaurants, events, and payments. Cybercriminals have leveraged this familiarity to launch massive campaigns. Additionally, mobile phones, the primary device for scanning QR codes, often have fewer protections than computers. The lack of digital education about this risk causes many users to fall for the trap. According to a study by security firm Ivanti, 75% of users do not verify the URL of a QR code before clicking. This is especially dangerous because, unlike a link in an email, the QR does not reveal its destination until scanned. Moreover, mobile phones lack the security barriers that computers have, such as advanced firewalls or antiphishing browser extensions. The pandemic not only increased QR use but also normalized contactless digital interaction, reducing natural distrust of these codes. Events like the Super Bowl or massive concerts have been venues for quishing campaigns, where attendees scan codes to access fake maps or promotions.

Consequences for businesses and users

For users, consequences can include identity theft, financial losses, and unauthorized account access. For businesses, quishing can damage their reputation if customers fall victim to fake codes mimicking their brand. Additionally, companies must invest in awareness campaigns and code verification technologies. A notable case involved a major parking chain in the United States, where attackers placed fake QR codes on parking meters, redirecting users to a fraudulent payment site. This not only affected drivers but also triggered a trust crisis for the company. For organizations, quishing can lead to data breaches, regulatory fines (such as those imposed by GDPR in Europe), and remediation costs. A report by cybersecurity firm Barracuda Networks indicates that the average cost of a quishing attack for a medium-sized company is $1.2 million, considering direct losses, reputational damage, and incident response expenses.

How to detect and avoid quishing?

  • Inspect the QR code: if it's stuck over an original, it's suspicious. Attackers often use low-quality stickers that are noticeable to the touch or by observing irregular edges.
  • Check the URL: before entering data, verify that the web address is official. Look for spelling errors or strange domains. Many phones show a URL preview before opening it; get used to reading it carefully.
  • Don't scan codes from untrusted sources: avoid scanning QR codes in public places if you're unsure of their origin. In restaurants, ask for a printed menu or verify that the QR code is in a fixed location and not a sticker.
  • Use security apps: some mobile antivirus apps like Kaspersky or Bitdefender can analyze QR links before opening them, blocking malicious ones.
  • Enable multi-factor authentication: even if your credentials are stolen, the second factor can stop access. This is especially important for bank and email accounts.
  • Be wary of unexpected emails: if you receive an email from a known entity asking you to scan a QR, verify its legitimacy by contacting the company directly through other channels.

What to do if you've been a victim?

If you scanned a QR code and provided data, immediately change your passwords, contact your bank, and monitor your accounts. Report the incident to your country's cybersecurity authorities, such as INCIBE in Spain or CISA in the United States. ZDNet also recommends clearing your browser history and reviewing app permissions, as some QR codes can lead to sites that download malware without the user's knowledge. If you entered banking information, notify your bank to freeze the card or account. Additionally, consider running a security scan on your phone with an antimalware tool. Keep a record of all actions taken to facilitate the investigation.

The future of quishing

Experts anticipate that attacks will become more sophisticated, using dynamic QR codes that change destinations or combining with social engineering techniques. For example, attacks have already been seen using QR codes that lead to pages mimicking Microsoft 365 login, requesting corporate credentials. Attackers are also expected to integrate quishing with other tactics like vishing (voice phishing) or smishing (SMS phishing) to create multi-channel campaigns. Continuous education and the use of verification tools will be key to mitigating risk. Companies are developing solutions such as QR scanners that verify domain reputation before opening the page, and mobile operating systems may incorporate security alerts when scanning codes. However, the ultimate responsibility lies with the user: staying informed and skeptical of any QR code that promises too-good-to-be-true offers or urgency in action.

Keep reading