QR Code Scams (Quishing): How to Spot Fake QR Codes and Protect Yourself
Quishing is phishing hidden inside a QR code that sends you to a fake login page or a malicious app. From stickers placed over real codes to QR images embedded in email that slip past security filters, we explain every scenario, the corporate risk and step by step protection, with sources.
QR Code Scams (Quishing): How to Spot Fake QR Codes and Protect Yourself
Quick answer: Quishing is phishing carried out through a link hidden inside a QR code. An attacker pastes a fake QR over a real one or embeds a QR in an email to send you to a fake login page or a malicious app. Because a QR shows no address, you cannot see where it leads, and email security filters often cannot read the link inside the code. The core defense: do not trust unexpected QR codes, preview the address before opening, and always log in through the official app or an address you typed yourself.
QR codes spread everywhere with the pandemic, from menus to payment screens, and scammers targeted that trust. The US Federal Trade Commission published a consumer alert titled "Scammers hide harmful links in QR codes," and the FBI issued a public notice as early as 2022 about criminals tampering with QR codes. The danger is simple: you can see a link's address before clicking, but a QR code shows only black and white squares, you do not know the destination until you scan it.
How quishing works
- Physical overlay. The attacker pastes a fake sticker over the real QR on a parking meter, a restaurant table or a poster. The victim enters payment or login details on a fake page.
- QR embedded in email. Instead of putting a phishing link in text, the attacker converts it to a QR image. Corporate email scanners check text links but usually cannot read the address inside the image, so it bypasses the filter. The user scans with a phone and steps outside the protection on the work computer.
- Fake payment and delivery. "Your parcel is on hold, pay by QR" or "pay your fine by QR" lures the card onto a fraud page.
- Malicious app install. Some codes lead to a malicious app download rather than a phishing page.
Corporate risk: QR based MFA and account phishing
The most dangerous form appears in corporate email. The attacker places a QR that says "verify your account" in a Microsoft 365 or bank themed email. The employee opens the address on a phone and enters username, password and even the one time code on a fake page. This is a variant of classic phishing that evades URL filters and is the new focus of awareness training. The threat is growing fast: according to Microsoft threat intelligence, QR based phishing rose from 7.6 million to 18.7 million per month in the first quarter of 2026, a 146 percent increase. Abnormal Security reported that senior executives are 42 times more likely to receive a QR attack and that about a quarter of these attacks involve a fake multi factor authentication notice. Companies should prepare staff with a phishing and social engineering simulation and review our guide on how to spot a phishing email.
Protection, point by point
- Do not trust unexpected QR codes that arrive by email or SMS or appear in public and demand urgency.
- Preview the address after scanning. Most phone cameras show the destination before opening. If it is not the official domain of the organization you expect, close it.
- Do not start a login or payment from a QR. Always enter your bank or account through the official app or a typed address.
- Check for physical tampering. Be suspicious of a sticker pasted over a code on a payment machine or poster.
- Use multi factor authentication, preferably phishing resistant. A passkey or hardware key instead of an SMS code makes a stolen password insufficient. See our password, 2FA and passkey guide.
- Corporate awareness. Teach staff that QR codes inside email are a new phishing method and have them report suspicious codes.
What to do if you were scammed
If you entered card details, call your bank immediately and block the card; if you logged in, change your password and sign out of all sessions. You can report the incident through USOM and, if there is financial loss, file with the Public Prosecutor or the Cybercrime unit. Our guide I was scammed online, what to do walks through the steps.
Frequently Asked Questions
Is scanning a QR code dangerous by itself? Scanning usually just shows an address. The danger is entering information on the page that opens or installing the app it downloads. Preview the address and close it if suspicious.
Why is a QR in email more dangerous? Security scanners often cannot read the address inside the image, so the code bypasses the filter and you reach a fake page without protection.
Can my phone get a virus from a QR? Scanning rarely infects directly; the risk comes from installing the fake app it points to. Install apps only from the official store.
Sources
- FTC, Scammers hide harmful links in QR codes to steal your information (December 2023): https://consumer.ftc.gov/consumer-alerts/2023/12/scammers-hide-harmful-links-qr-codes-steal-your-information
- FBI IC3, Cybercriminals Tampering with QR Codes (January 2022): https://www.ic3.gov/PSA/2022/PSA220118
- Microsoft Threat Intelligence, email threat landscape Q1 2026 (QR phishing up 146 percent): https://www.microsoft.com/en-us/security/blog/2026/04/30/email-threat-landscape-q1-2026-trends-and-insights/
- Abnormal Security, QR code attacks report (executives 42x targeted): https://abnormal.ai/blog/data-shows-c-suite-receives-42x-more-qr-code-attacks
- CISA, implementing phishing resistant MFA: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
- USOM report: https://www.usom.gov.tr/ihbar
To test your staff against email and QR based phishing, contact DSET.
Kimliğinizi doğrulayın
Yetkilendirilmiş erişim alanı. Tüm giriş denemeleri kayıt altına alınır.