QR Code Security: The Quishing Threat
QR codes are everywhere — menus, payments, Wi-Fi, boarding passes. But they can also be attack vectors. "Quishing" attacks are rising as attackers exploit QR code trust.
Common Quishing Attacks
Tampered Payment Codes
Attacker places a sticker with their own QR code over a restaurant's or parking meter's payment code. Your payment goes to the attacker.
Found at: Restaurants, parking meters, vending machines, charity donation points
Phishing QR in Email
Email contains a QR code instead of a link — bypasses traditional email security filters that scan URLs but can't read QR codes.
Found at: Emails pretending to be from IT department, banks, Microsoft 365
Malicious Wi-Fi
QR code that auto-connects your device to an attacker-controlled Wi-Fi network, enabling man-in-the-middle attacks.
Found at: Cafés, conferences, hotels — fake 'Free Wi-Fi' QR codes
Fake Event/Product Codes
QR codes on flyers, posters, or products that redirect to phishing sites collecting personal information.
Found at: Street flyers, concert posters, product packaging, business cards
Protection Rules
- 1. Check the URL preview — Modern phone cameras show the URL before opening. Verify the domain is legitimate.
- 2. Look for tampering — Is the QR code a sticker placed over another code? Is it aligned properly? Sticker overlays are a red flag.
- 3. Don't scan QR codes from emails — If a company sends you a QR code by email, go to their website directly instead.
- 4. Don't auto-connect to Wi-Fi via QR — Manually enter the network name and password from a trusted source.
- 5. Use your phone's built-in scanner — Don't use third-party QR scanner apps (many contain malware themselves).
- 6. Have a VPN active — If you do end up on a malicious network, your VPN encrypts your traffic.