Skip to content
Phishing
Foundation·4 min·DE · EN

Quishing - when the QR code lies

QR codes look harmless but have become attackers' favorite new trick. Here's how to spot quishing - and scan safely again.

Why QR codes suddenly turned dangerous

QR codes have been everywhere since the pandemic - on posters, restaurant tables, in emails. That ubiquity is exactly what makes them a perfect phishing tool. You see a code, scan it with your phone, and land on a website you would never have visited without it. Quishing (QR + phishing) is the fastest-growing form of phishing in 2024-2026.

01

Bypasses filters

QR codes are images - classic mail filters don't read them. A phishing URL inside a QR code often slips through.

02

PC to phone pivot

Your phone has no hover-to-preview. You only see the real URL when the page is already loading.

03

Pressure-driven trust

'Parking fee due', 'Charger broken - scan code'. Classic quishing hook in public spaces.

Where quishing shows up today

  • In emails: "MFA setup for your Microsoft account" with a QR code instead of a link. The code leads to a phishing login page.
  • In public: Attackers stick their own QR-code stickers over real ones on parking meters, restaurant tables, charging stations.
  • On letterhead: "Pay invoice - scan QR." The real invoice URL gets replaced.
  • On hotel Wi-Fi cards: "Join hotel Wi-Fi - scan QR." Followed by a credential-phishing page.

How to check a QR code before opening it

Modern phones show the target URL as a preview before the browser opens. Always read that preview before you tap.

Look for:

  • Does the URL start with https://?
  • Is the domain the one you expect? (parking.zurich.ch, not parking-zh-pay.com)
  • Are there URL shorteners like bit.ly? Extra caution.
  • Does the page ask for credentials immediately? Stop.
!

QR code as image in email

Instead of a clickable login link - rarely legitimate, almost always quishing.

!

Sticker over sticker

If a QR code looks stuck on or sits crooked - likely placed by an attacker.

!

Coercive language

'Pay within 10 minutes or face a fine.' Legitimate parties give you time.

!

Immediate login request

A real parking fee never asks for Microsoft login credentials.

Real case - Zurich 2025

Stickers with attacker-controlled QR codes were placed over the real payment codes on 12 city-center parking meters. The redirected URL led to a page that harvested credit card data. 1,400 cards compromised before the city reacted. The codes were visually indistinguishable from the real ones.

In public spaces, every unverified QR code is potentially manipulated.

The simple rule

Treat QR codes like links in an email from a stranger. Read the URL first, decide second.

When something really matters - an invoice, a parking ticket, an MFA setup - there is always an alternative path: the app, the official website via your saved bookmark, a phone call. The QR code is convenience, not necessity.

Training catalogue

See more modules

12 modules covering phishing, MFA, compliance, and remote work.

View catalogue →

Member area

With quiz and certificate

Track progress, complete the quiz, get your PDF certificate.

Sign in →

Ready to take awareness seriously?

30-minute demo. We'll show you a real phishing campaign, a quarterly report, and the NIS2 mapping - for your industry.

Book a demoContact us