• Quishing –
    the invisible danger behind QR codes

QR codes have become part of everyday life – in restaurants, on posters, or for logins. Cybercriminals exploit the ubiquity of QR codes for so-called quishing attacks. This is a specific form of phishing where fraudulent QR codes lead users to fake websites or install malware on their devices.

The following article shows you how quishing works, how to spot and prevent yourself from fraudulent QR codes.

Key points:

A person scans a QR code on a paper document using their smartphone

Quishing is a dangerous form of phishing in which criminals use malicious QR codes to spread malware or redirect to fake websites.

A person holds their smartphone up to a display on a machine

The link embedded in a QR code is not immediately visible – many users trust the preview shown after scanning and open it without fully verifying the link.

A person scans a QR code on a table at a restaurant

By carefully checking the full URL, avoiding suspicious codes, and keeping software up to date, you can significantly reduce the risk of becoming a victim of successful quishing attacks.

How does quishing work?

Quishing is based on the fact that the content of a QR code – usually an internet address – is not directly visible. Criminals place such QR codes digitally (e.g. in emails) or physically on stickers, posters, and everyday objects. Scanning these codes without caution can lead to fake websites or download malware without the user realizing it.

Why is quishing so dangerous?

Quishing targets human habits and technical vulnerabilities. Here's why this scam is particularly insidious:

This icon describes a globe.

Assumed trust when scanning:

QR codes are often scanned without questioning the source or destination – a risky habit.

This icon describes a globe.

Bypassing security filters:

While traditional phishing links in emails are often caught by spam filters, QR codes embedded in emails are usually interpreted as harmless images.

This icon describes a globe.

Invisible threat:

QR code contains an internet address that is not visible to the human eye. If opened automatically or without proper inspection, it can lead to immediate malware infection.

This icon describes a globe.

Automatic link opening:

Some camera or QR scanner apps open embedded links automatically – making it easy for malware to install unnoticed.

This icon describes a globe.

Widespread use:

Malicious QR codes appear not only in fraudulent emails and letters but also on parking meters, charging stations, packaging, flyers, and fake raffle tickets.

How to identify fraudulent QR codes

Many quishing attacks can be detected early with attention and caution. Watch out for:

  • Prominent or unusual placement: criminals place QR codes where they attract attention, such as over legitimate codes on charging stations or on fake parking tickets. Look for signs of tampering like adhesive marks.
  • Shortened or obscured URLs: modern scanners often show only a shortened version of the link. Check if there's an option to view the full internet address to verify the destination.
  • Requests for data entry: if scanning a QR code leads to a request for login or payment information, be on alert. Legitimate providers never ask for such data without prior authentication.

Protective measures against quishing

Protecting yourself from quishing doesn’t require complex steps – just awareness and digital responsibility:

  • Scan only trusted QR codes: only scan codes from clearly trustworthy sources – such as official apps, printed materials from known brands, or company websites.
  • Use secure scanning apps: use your device’s native camera app and familiarize yourself with its QR scanning features. Free third-party apps may have security flaws.
  • Never share sensitive data: QR codes should never be the entry point for sharing login credentials, bank details, or personal information. Use official websites or apps instead or contact the sender via a known address or phone number.
  • Keep your smartphone operating system updated: regular operating system updates close known security gaps and offer better protection against new attack methods like quishing.

What to do if you suspect an attack

Act quickly if you think you’ve been redirected to a fake site or malware has been installed:

  • Run an antivirus scan: use up-to-date security software to check your device for threats.
  • Change passwords: immediately update your credentials if you suspect they’ve been compromised – especially if entered on a suspicious site.
  • Report to authorities: notify the police or a consumer protection agency about suspicious QR codes or websites to help protect others.

Conclusion – preventing quishing

Quishing is a sophisticated form of phishing that uses malicious QR codes to redirect users to fake websites or install malware. These attacks are especially dangerous because they’re easy to execute and many people trust QR codes. But with vigilance, some background knowledge, and a willingness to question suspicious prompts, you can protect yourself effectively.

Frequently asked questions about quishing

Show content of How do criminals create fake QR codes?

Cybercriminals usually generate QR codes themselves using free online tools. They place them in emails, on stickers, posters, or fake websites – often disguised as legitimate offers or requests, even from authorities.

Show content of How can I recognize a malicious QR code?

Check if a legitimate QR code has been covered by another, especially on charging stations or parking meters. Be cautious with parking tickets or letters from well-known companies that include QR codes – they could be scams. If the link is vague or unusually short and asks for sensitive data, don’t scan it.

Show content of Why is quishing especially dangerous?

Because the link in a QR code isn’t visible before scanning. Even clicking the preview can trigger a malware attack without you noticing. Scanner apps that open links automatically are particularly risky.