This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.
|
Last updated: July 2, 2025
|
Last updated: July 2, 2025
The use of QR codes has grown exponentially since their introduction in the mid 90s. What was once created to track the location of automotive equipment is now used for event registration, link sharing, artistic endeavors, and more!
But with such rapid and widespread adoption also comes risk, and QR codes are far from 100% safe. One scam in particular that makes use of QR codes is known as QR Phishing or Quishing. In this piece I will go over the basics of quishing, what it is, how it works, and how you can best protect yourself from an attack. So let’s get started!
Phishing is a type of scam that makes use of phony websites or other services in order to steal your personal information, financial information, and money. This can be done either by having the user enter their own information willingly on the phony site or by installing some sort of malware or spyware onto their device.
Most phishing scams occur via an unsolicited email that appears to be from an official source. Many of these emails will contain a QR code that users are instructed to scan in order to move forward with an offer or gain more information. When a phishing scam involves a QR code, it is known as QR phishing or quishing.
While emails are the most common way quishing scams are distributed, they can be found just about anywhere you would expect to see a regular QR code, including:
Phishing scams have been on the rise in recent years, with more and more everyday involving QR codes. As the usage of QR codes increases, so too does the number of quishing cases. From 2023 to 2024, the number of qusihing scams went up by over 400% from previous years. Much of the data stolen in these attacks was of personal or financial importance.
It’s believed that the sharp rise in quishing scams is due to the rapid increase in QR code adoption. QR codes are more common than ever now, especially in the financial sector.
Of the industries affected by quishing, around 29% occurred in the energy sector, making it the most vulnerable. Most of the quishing scams in this sector involved QR codes embedded into emails.
Recent examples of quishing scams include
Healthy skepticism is always a great preventative measure when dealing with any type of scam. It’s wise to treat every QR code you see, digital or otherwise, with the same amount of scrutiny that you would a standard URL link. In many cases, you can tell when a link will lead somewhere nefarious, and the same goes for QR codes.
If you scan a code and your browser says that it seems unsafe, then it’s good to trust it and not go forward. Additionally, if you see that a QR code in the wild has been taped over a pre-existing one, that’s usually a sign that it’s been tampered with. In this case, it may also be a good idea to tear away the phony code so that no one else gets scammed.
A good thought process to follow is that if it seems too good to be true, that it most likely is. If you see a QR code with an amazing offer, like “scan this code to win $10,000”, then it’s almost certainly a phony code that will either infect your device or steal your information.
Most mobile browsers have safety features built in to protect you and your data, but some things can still slip through the cracks. In cases like this, a VPN or other identity monitoring service can be a great help. It’s also a good idea to keep a close eye on your information and finances, so that you can catch any wrongdoings before it’s too late.
It’s possible to be as careful as you can be and still find yourself accidentally scanning a phony code. If you ever find yourself in this situation, here’s some things you can do to help reduce the negative effects.
While there are still plenty of dangers involved in using QR codes, the technology remains relatively safe. In most cases, it’s not the QR codes themselves that are dangerous, but the sites they link to or the nefarious individuals beyond them. In most cases, your browser will warn you if a code seems suspicious before redirecting.
Hopefully, by reading this piece you are now more informed and equipped for dealing with a quishing attack. Just knowing what signs to look out for and how to deal with an attack after it happens can greatly reduce the risk you take when scanning QR codes. As the Saturday morning cartoons used to say: knowing is half the battle.
https://www.experian.com/blogs/ask-experian/what-is-quishing/