QR codes, or Quick Response Codes, were invented all the way back in 1994, not by some marketing department, but rather by a company called Denso Wave which is a subsidiary of Toyota. The codes were initially used to track automotive parts during manufacturing which were more efficient than traditional barcodes. It wasn’t until the early 2000’s that QR codes started making their way into the consumer market as phones started to have QR code readers built in. And not until the later 2010’s did QR codes begin to be used in marketing, ticketing, and limited payment systems. 

But it wasn’t until the pandemic in 2020 that these codes, once many thought were dead, made a valiant comeback as they were incredibly useful for contactless menus, check-ins, vaccine records, and payments which pushed QR codes into daily life worldwide. Today, you will find QR codes on restaurant tables for digital menus, product packaging for tutorials, flyers for event RSVPs, utility bills for online payments, business cards linking to LinkedIn profiles and countless other useful ways. 

What is Quishing?

As you can see, QR codes have undergone quite the evolution and now there’s another new evolution, but this time it’s not a good one. Quishing (short for QR code phishing) is a type of cyberattack where scammers use malicious QR codes to trick people into visiting fake websites, downloading malware, or giving up sensitive information like login credentials or credit card numbers. While the word “Quishing” certainly looks and sounds pretty funny, the practice, however, is a far cry from being humorous. 

How does Quishing work?

The benefit of QR codes is that you can put them literally anywhere that you want someone to take an intended action. The downfall of QR codes is that you can put them literally anywhere that you want someone to take an action. The general idea is that someone will scan a QR code they come across expecting to be brought to a legitimate landing page, app or digital property. However, if that code was placed by a bad actor then that code will instead take you to a phishing site or it can even trigger a malicious download to your device. From there it can get even worse particularly if you’re then asked to enter personal information or install spyware. As you can see the repercussions can be dire.

Common QR code phishing examples

The growing ubiquity of QR codes has made seemingly every day encounters a little bit more convenient. That’s because unlike a printed link or web address a QR code is able to direct someone to a very specific digital asset. For example, you may have seen parking meters with QR codes plastered on them which allow the driver to pay for their parking simply by scanning a code and providing payment on a smartphone. Imagine though if that QR code instead enabled someone to steal your credit card info if scanned. That’s how easy it is to scam someone by using a QR code. 

Some other examples of Quishing in action include:

1. Email-Based Quishing – You receive an email from what looks like FedEx saying your delivery failed, with a QR code to “reschedule”—but it opens a fake login page to steal your credentials.
2. Printed/Public QR Code Scam – A scammer places a fake QR code sticker over a restaurant’s menu code, and when you scan it, it loads a malicious website disguised as a survey that installs spyware.
3. Retail/Shopping Scam – A QR code on a store shelf promises 20% off if you “register your purchase,” but it leads to a spoofed site that captures your name, address, and credit card number.
4. Package/Delivery Scam – A QR code left in your mailbox appears to be from UPS and says “Scan to confirm delivery”—but it opens a site that looks official and asks for your login and billing info.

Quishing is on the rise

According to CNBC, Quishing attacks are on the rise as traditional phishing is failing. As QR code usage grows, so do scams exploiting them. Cybersecurity experts note that scammers are shifting to QR codes as traditional email phishing becomes harder to execute. A study by KeepNet Labs found 26% of malicious links now come through QR codes, and NordVPN reports that 73% of Americans scan QR codes without verifying them—leading over 26 million people to malicious sites. There are people fighting back. Gaurav Sharma, a professor in the department of electrical and computer engineering at the University of Rochester is in the process of developing a secure, self-authenticating QR code (SDMQR), but says widespread adoption requires support from tech giants like Google and Microsoft. He also warns that branding QR codes with company logos is not a reliable safeguard. For now, diligence is the best form of defense for businesses and institutions to safeguard their guests. For example, the Children’s Museum of Indianapolis, which welcomes over a million guests a year, are taking steps to secure their codes with design customizations and regular inspections. While places like museums are less frequent scam targets compared to train stations or parking lots, the threat of malware via fake QR codes remains.

How to protect yourself from getting “quished”

1. Preview the Link Before Opening It

• Most phones show the URL before opening.
• If it looks strange, misspelled, or unfamiliar—don’t click it.

2. Use a Trusted QR Scanner App

• Some security-focused QR code apps will alert you if a link is suspicious or dangerous.

3. Be Skeptical of QR Codes in Public Spaces

• Don’t scan random flyers, posters, or stickers—especially those on parking meters, signs, or bathroom walls.
• Check for stickers placed over legitimate QR codes.

4. Watch Out for QR Codes in Emails or Texts

• Treat QR codes like links—if the message is unexpected, urgent, or feels off, verify the source before scanning.

5. Don’t Enter Personal Info After Scanning

• A legitimate QR code shouldn’t immediately ask for passwords, Social Security numbers, or payment information.
• If it does, close the site.

6. Avoid Public Wi-Fi for QR Code Actions

• If a QR code takes you to a login or payment site, wait until you’re on a secure connection like home Wi-Fi or mobile data.

7. Keep Your Phone and Security Software Updated

• Updates help protect your device from the latest phishing and malware threats.

8. Enable Two-Factor Authentication (2FA)

• This adds an extra layer of protection so that even if someone gets your password, they can’t access your accounts easily.

Final Thoughts

As QR codes continue to become part of everyday life, so do the risks associated with them. Quishing may seem like a small threat, but it can open the door to serious breaches—from stolen credentials to financial fraud.

At webFEAT, we believe staying secure means staying informed. Educate your team, scrutinize every scan, and implement tools that protect against phishing threats across all platforms—including those hidden behind a simple QR code.

Need help assessing your organization’s phishing defenses? Contact us for a consultation or learn more about our website and email security services designed to keep your team a step ahead of the latest threats.