What is QR Code Phishing?
A phishing technique (also called 'quishing') that uses malicious QR codes to redirect victims to fake websites, trigger malware downloads, or steal credentials — exploiting the fact that people can't visually verify where a QR code leads before scanning.
Also known as: Quishing, QR Phishing, Malicious QR Code
QR codes are everywhere — restaurant menus, parking meters, package deliveries, event tickets. Criminals exploit this ubiquity by replacing legitimate QR codes with malicious ones that steal your data.
How It Works
- Attacker creates a QR code that links to a phishing site, malware download, or credential harvester
- The malicious QR code is placed over a legitimate one (sticker on a parking meter, poster, menu)
- Victim scans the code, sees what looks like a normal login page or payment form
- Victim enters credentials or payment information, which goes directly to the attacker
Real-World Attack Vectors
Parking Meters
- Fake QR code stickers placed on parking meters in 30+ US cities (2022-2024)
- Victims think they're paying for parking; instead, credit card details are stolen
Package Delivery
- Fake "missed delivery" notices left at doors with a QR code to "reschedule"
- Code leads to a phishing site harvesting personal information
Email Quishing
- Phishing emails contain QR codes instead of clickable links
- Bypasses email security filters that scan URLs but can't read QR codes
- Often impersonates Microsoft 365, DocuSign, or banking login pages
Restaurant Menus
- Replaced QR codes on tables redirect to sites that request unnecessary permissions or install malware
EV Charging Stations
- Fake QR codes on electric vehicle charging stations redirect payments to scammers
Why QR Phishing Is Effective
- You can't see the URL before scanning — unlike a link you can hover over
- Mobile phones have weaker security than computers — fewer phishing protections
- Trust in QR codes has increased since COVID-era contactless adoption
- Bypasses email security — security tools scan text links but not embedded QR images
- Physical placement adds legitimacy — a QR code on a parking meter seems official
How to Protect Yourself
- Preview the URL before opening — most phone cameras show the URL; check it before tapping
- Look for tampering — stickers placed over existing QR codes are a red flag
- Don't enter credentials on sites reached via QR code — navigate to the site directly instead
- Use a QR scanner app that checks URLs against phishing databases
- Be skeptical of urgency — "Scan NOW to avoid a fine" is a social engineering tactic
- Never scan QR codes from emails — go to the website directly instead
Related Terms
Credential Harvesting
The practice of collecting login credentials through phishing pages, data breaches, malware, or social engineering.
Man-in-the-Middle Attack
An attack where the adversary secretly intercepts and potentially alters communications between two parties who believe they're communicating directly with each other. MITM attacks can capture credentials, inject malware, or modify data.
Phishing
A social engineering attack where attackers impersonate legitimate entities through fake emails, websites, or messages to trick victims into revealing sensitive information like passwords, credit card numbers, or personal data.
Social Engineering
Psychological manipulation techniques used to trick people into revealing confidential information or performing actions that compromise security. Social engineering exploits human trust rather than technical vulnerabilities.
Have more questions?
Use our guided flow to get the right next privacy step for QR Code Phishing.
Open Guided Flow