Quishing is the new QR code scam you need to watch out for – here's how to stay safe

A person scanning a QR code on a smartphone
(Image credit: Marielle Ursua (Unsplash))

  • Banks and regulators have warned of the growing risk of quishing
  • A type of phishing that uses fraudulent QR codes to steal information
  • These malicious links aren’t easily recognized by users or email scanners

It’s not just suspicious links you need to watch out for in your email inbox: QR code phishing – or “quishing" – is becoming an increasingly common threat, with fraudulent codes designed to slip through security systems and fool you into surrendering your financial information.

A number of UK banks, together with the UK National Cyber Security Centre and US Federal Trade Commission, have recently warned of the dangers of these increasingly sophisticated quishing scams.

In a quishing attack, a QR code is usually sent as an attachment to an email. The email will appear to be from a legitimate source, such as a lender. When you scan the code, it will direct you to a malicious link. This will usually ask you to submit personal details, but it could also attempt to install malware or even capture an MFA token to bypass your login credentials.

What’s more, quishing attacks have now spread into the real world. Earlier this year, the RAC warned motorists of fraudulent QR codes being stuck to parking machines. When scanned, these would link users to a website that aims to steal the details and payment information of someone who believes they’re paying for parking.

These attacks have increased since the pandemic, when the use of QR codes ballooned. As a hands-free way to access everything from menus to medical forms, QR codes became a familiar and apparently trustworthy way to access information and services.

Gone quishing

Like a classic phishing scam, quishing aims to fool you into believing that you’ve been sent the link from a legitimate source. The email will usually appear to be from a bank or email provider, asking you to confirm your details to ‘secure’ your account. The scam will use a fake website that mimics the real thing to fool you into believing it’s legitimate.

Because the content of a QR code isn’t immediately visible from looking at the code alone, it’s difficult to check if one is legitimate. What’s more, these codes often slip past cyber security tools, which aren’t easily able to verify whether an attached code is genuine.

Scammers also find increasingly advanced ways to hide their scams from security tools. In addition to hijacking legitimate email accounts, some QR code scams use genuine personal information harvested from sites such as LinkedIn to personalize emails to appear relevant to an individual. Domain redirection is often used to bounce users through several URLs, which prevents email scanners from detecting the true malicious link behind the QR code.

A similar version of the scam, featured in a report from Perception Point, sends users to me-QR.com, a legitimate website for making QR codes. Once there, the service scans a second QR code, which leads to a malicious landing page hosted on SharePoint, Microsoft’s web-based collaboration platform.

We’ve written in depth about the evolution of phishing attacks and how to stay safe from quishing attacks. In May, McAfee – the security software company – ran a survey that found more than 20% of online scams in the UK probably involved QR codes. With lenders and regulators now raising concerns, quishing is definitely the next big thing in online scams.

You might also like

Chris Rowlands

Formerly News Editor at Stuff, Chris now writes about tech from his tropical office. Sidetracked by sustainable stuff, he’s also keen on cameras, classic cars and any gear that gets better with age.

Read more
mobile phone
Forget phishing, now "mishing" is the new security threat to worry about
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
Paper craft illustration of a suspicious email that contains a snake
How to spot a phishing email
QR Code
Hackers are targeting Signal with new QR code-linked cyberattack
Smartphone with new logo X twitter app background. Application twitter old blue bird change X black and white new.
Phishing campaign targets prominent X users, accounts at risk
Latest in Cyber Crime
A person scanning a QR code on a smartphone
Quishing is the new QR code scam you need to watch out for – here's how to stay safe
Ransomware on the rise: how small and medium-sized businesses can achieve cyber resilience during turbulent times
Ransomware on the rise: how small and medium-sized businesses can achieve cyber resilience during turbulent times
Text Phishing Scams
Do not fall for this dangerous Amazon shopping scam
Cyber-security
Safeguarding against next-gen cyber risks
The North Face jacket
Thousands of North Face customers accounts hacked, personal data stolen
Smartphone hacked with data flow in the background
9 signs your phone has been hacked
Latest in News
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough