Quishing: the QR code scam you need to know about

You have probably heard of phishing - scam emails and texts designed to steal your details. Quishing is the same idea, but delivered via QR code. And because most people have learned to be suspicious of links, scammers are increasingly switching to QR codes instead.

---

What is quishing?

Quishing (QR code phishing) is when a scammer uses a QR code to send you to a fake website. Instead of embedding a suspicious-looking URL in a message, they embed it in a QR code - which shows you nothing but a pattern of black and white squares until you scan it.

The destination is typically a convincing fake login page for a bank, delivery company, government service, or popular retailer. The goal is the same as any phishing attack: get you to hand over your password, payment details, or personal information before you realise something is wrong.

---

Why QR codes make phishing easier

QR codes are an effective attack vector for a few reasons:

• You can't read them before scanning. A suspicious link is visible in a text or email - a QR code hides its destination completely until your camera opens it.
• Security tools often can't scan them. Email filters and corporate security software are built to detect malicious URLs in text. A QR code in an image bypasses most of those checks.
• People trust them. QR codes became mainstream during the pandemic for menus, payments, and check-ins. Scanning one feels routine now.
• They work in physical spaces. Unlike links, QR codes can be printed and placed in the real world - on posters, parking meters, parcel labels, and restaurant tables.

---

Where quishing QR codes turn up

In emails and messages

The most common delivery method. A quishing email might claim to be from your bank, HMRC, a courier, or a parcel company - asking you to scan a QR code to verify your account, track a delivery, or claim a refund. The QR code replaces the link that a spam filter might otherwise catch.

On physical posters and signs

Scammers print fake QR codes and stick them over legitimate ones in public spaces. Car parks, bus stops, coffee shops, and restaurant tables have all been used. You think you're paying for parking or accessing the menu; you're actually being sent to a phishing page.

On fake parcels and packaging

Counterfeit goods sometimes include QR codes that link to fake brand websites, designed to harvest your details or upsell fake accessories.

In documents and invoices

Business invoice fraud increasingly uses QR codes pointing to fake payment portals.

---

How to spot a quishing attempt

There are no guaranteed visual tells in the QR code itself, but the surrounding context often gives it away:

• Unexpected urgency - "Scan now or your account will be closed", "Claim your refund within 24 hours"
• Unsolicited contact - a QR code arriving in an email or text you were not expecting
• Physical tampering - a sticker that looks slightly off-centre, or a QR code that sits on top of another one
• Mismatched branding - the email or notice looks almost right, but the logo is slightly wrong, the fonts are different, or the sender address doesn't match the organisation

---

What to do before you scan a QR code

Check the URL before you do anything

When your phone camera reads a QR code, it shows you the destination URL before you tap it. Always read it. Apply the same checks you would to any link: does the domain match the organisation it claims to be? Is it hmrc.gov.uk or hmrc-refund-portal.com?

Use a QR code checker

If you're not sure, check the URL before visiting it. SniffTest lets you upload a photo of a QR code or scan one directly - it extracts the destination URL and runs it through 17 checks, returning a plain-English verdict before you've opened anything.

Check a QR code on SniffTest →

Be especially sceptical of physical QR codes

Before scanning a QR code in a public place, look at it closely. Is there a sticker on top of the original? Does the code look like it was added after the fact? For parking payments in particular, it's safer to use the official app or pay at the machine.

---

If you've already scanned a suspicious QR code

If you scanned but didn't enter anything - you're likely fine. Close the browser tab and run the URL through SniffTest to confirm.

If you entered personal details or payment information:

1. Change your password immediately if you entered login credentials, on every account using the same password
2. Contact your bank to flag potential fraud if you entered card or bank details
3. Report the quishing attempt to the NCSC at report.ncsc.gov.uk (UK) or the FTC at reportfraud.ftc.gov (US)

---

Frequently asked questions

Q: What is quishing?

A: Quishing is phishing carried out via QR code. A scammer uses a QR code - in an email, a text, or a physical location - to direct you to a fake website designed to steal your login details, payment information, or personal data. The QR code hides the destination URL, making it harder to spot than a plain phishing link.

Q: How do I check a QR code before scanning it?

A: If your phone camera shows a preview URL before you tap, read it carefully and apply the same checks you would to any link. Alternatively, upload a photo of the QR code to SniffTest - it extracts the destination URL and runs 17 safety checks before you visit the site.

Q: Can QR codes give my phone a virus just from scanning?

A: Scanning a QR code itself is generally safe - the risk comes from visiting the destination URL. A malicious QR code sends you to a phishing page or a site that tries to install malware, but only once you've tapped through. Checking the URL before you proceed is the key step.

Q: Are QR codes on parking meters safe to scan?

A: Not always. Scammers have targeted parking meters in multiple countries by placing fake QR code stickers over legitimate ones. Before scanning, look closely for signs of tampering - a sticker that doesn't quite fit, or a code that sits on top of another. When in doubt, use the official parking app or pay at the machine.

Q: How is quishing different from regular phishing?

A: The goal is identical - to steal your credentials or payment details via a fake website. The difference is delivery method. Standard phishing uses a visible link in a message; quishing hides the destination inside a QR code. This makes it harder for both people and automated security tools to spot before you tap.