2check.click

6 min read Last updated: June 2026

What Is Quishing? Complete Guide to QR Code Phishing Attacks

Quishing is a phishing attack that uses QR codes instead of traditional links. Attackers hide malicious destinations inside QR codes and trick victims into scanning them with a smartphone. Once scanned, the victim may be redirected to a fake login page, fraudulent payment portal, malware download, or credential harvesting website.

As QR codes become more common in restaurants, parking systems, payments, marketing campaigns, logistics, and authentication systems, attackers have increasingly adopted them as a phishing tool. Many users trust QR codes more than links because the destination is hidden until after the code is scanned.

Table of Contents

  1. What is quishing?
  2. How QR phishing works
  3. Why quishing is growing
  4. Common QR scam types
  5. Real-world examples
  6. How attackers hide malicious destinations
  7. Warning signs
  8. Quishing vs phishing vs smishing
  9. How to safely check a QR code
  10. What to do after scanning a suspicious QR code
  11. Business risks
  12. FAQ

What Is Quishing?

The term quishing combines the words QR and phishing. Instead of asking a victim to click a suspicious URL, the attacker encourages them to scan a QR code.

The QR code may appear in:

  • Email messages
  • SMS messages
  • Printed advertisements
  • Restaurant tables
  • Parking meters
  • Invoices
  • Package notifications
  • Public posters
  • Social media posts

Once scanned, the QR code sends the victim to a destination controlled by the attacker.

How QR Phishing Works

Step 1. The attacker creates a QR code

The QR code contains a URL, payment request, login page, or malicious destination.

Step 2. The QR code is distributed

The attacker places it in emails, public locations, advertisements, documents, stickers, or social media content.

Step 3. The victim scans the code

Most smartphone users scan QR codes without carefully inspecting the destination.

Step 4. The victim is redirected

The QR code opens a phishing page, payment portal, login form, or malware delivery site.

Step 5. Information is stolen

The attacker collects credentials, payment details, verification codes, or personal information.

Why Quishing Is Growing So Quickly

QR code phishing is attractive to attackers for several reasons.

  • The destination is hidden until scanning.
  • QR codes bypass some traditional email filters.
  • Users trust QR codes.
  • Mobile devices hide URL details.
  • QR codes are increasingly used in daily life.

As organizations encourage QR-based authentication, payments, menus, tickets, and registrations, attackers gain more opportunities to abuse the technology.

Common Types of QR Code Scams

Parking Meter Scams

Attackers place fake QR stickers over legitimate payment QR codes. Victims unknowingly submit payment information to criminals.

Restaurant Menu Scams

A QR code leads to a fake menu, fake payment page, or credential harvesting website.

Package Delivery Scams

The victim receives a QR code that claims to provide tracking or address verification.

Bank Verification Scams

A QR code claims to verify banking information but actually collects credentials.

Crypto Wallet Scams

Attackers use QR codes to redirect cryptocurrency payments to their own wallets.

Corporate Login Scams

Employees receive QR codes that imitate Microsoft 365, Google Workspace, VPN portals, or company authentication systems.

Real-World Quishing Examples

Fake Microsoft QR Login

An employee receives an email with a QR code claiming that security verification is required. The QR code leads to a fake Microsoft login page.

Parking Payment Fraud

A driver scans a QR code attached to a parking machine. The code directs payment information to criminals.

Fake Package Tracking

A QR code promises delivery tracking updates but redirects users to a phishing website.

Event Ticket Scam

A fraudulent QR code on social media claims to provide ticket access but instead collects credentials or payment information.

How Attackers Hide Malicious Destinations

  • Shortened URLs
  • Redirect chains
  • Typosquatting domains
  • Lookalike brands
  • Punycode domains
  • Homograph attacks
  • URL encoding techniques

The victim sees only a QR image and may never inspect the destination domain.

Warning Signs of a Dangerous QR Code

  • The QR code appears unexpectedly.
  • The QR code requests payment.
  • The destination asks for credentials.
  • The QR code is attached over another code.
  • The message creates urgency.
  • The destination domain does not match the claimed brand.

Quishing vs Phishing vs Smishing

Attack TypeDelivery MethodMain Risk
PhishingEmailCredential theft
SmishingSMSPayment and account fraud
QuishingQR CodesHidden malicious destinations

How To Check a QR Code Safely

  1. Preview the destination before opening it.
  2. Inspect the domain name carefully.
  3. Look for brand impersonation.
  4. Avoid entering passwords immediately.
  5. Be cautious with payment requests.
  6. Analyze QR destinations before visiting them.

2check.click allows users to upload QR images, decode destinations, inspect redirects, detect phishing indicators, identify lookalike domains, and evaluate risks before opening the destination.

What To Do If You Scanned a Suspicious QR Code

If You Only Opened the Page

  • Close the page.
  • Do not submit information.
  • Review the destination domain.

If You Entered Credentials

  • Change passwords immediately.
  • Enable multi-factor authentication.
  • Review account activity.

If You Entered Payment Information

  • Contact your bank.
  • Monitor transactions.
  • Consider replacing affected cards.

Business Risks From Quishing

Organizations increasingly use QR codes for authentication, onboarding, events, logistics, and payments. Attackers exploit these workflows to target employees.

A successful quishing attack may result in:

  • Account compromise
  • Credential theft
  • Business email compromise
  • Financial fraud
  • Unauthorized access
  • Data breaches

Prevention Checklist

  • Inspect QR destinations before opening them.
  • Train employees about QR scams.
  • Use multi-factor authentication.
  • Verify payment requests independently.
  • Analyze suspicious QR codes.
  • Avoid scanning unexpected codes.

Frequently Asked Questions

What is quishing in simple terms?

Quishing is phishing that uses QR codes instead of traditional links.

Can a QR code itself be malicious?

The QR image itself is not usually dangerous. The risk comes from the destination it opens.

Why do attackers use QR codes?

QR codes hide the destination and often bypass security controls designed for ordinary links.

Can quishing target businesses?

Yes. Many modern attacks target employees using fake authentication and login pages.

Related Guides

Final Thoughts

Quishing has become one of the fastest-growing phishing techniques because QR codes hide destinations and encourage quick actions. Attackers know that many users trust QR codes and rarely inspect where they lead.

The safest approach is simple: treat QR codes the same way you treat links. Verify the destination, inspect the domain, and analyze suspicious QR codes before opening them.

Need to inspect a QR code safely? Upload it to 2check.click and review the destination before visiting it.

Popular Guides

Received a suspicious link?

Analyze it now →

Related Articles