What is quishing? Here’s how QR code phishing works

Dawna Roberts

Apr 4, 20245 min read

What is quishing? Here's how QR code phishing works: Header image

When it comes to cyber threats, you might find yourself wondering, “What will be next?” Quishing is a term used to describe a relatively new type of attack designed to cause chaos and commit fraud. And what’s the delivery method? Scannable QR codes. 

Keep reading to learn more about quishing, what it is, and how it works. We also cover some famous real-life examples and how to detect a QR code scam. Plus, you’ll learn what to do if you fall victim and how to protect yourself from this type of scam.

What is quishing?

A quick response (QR) code is a variant of the traditional bar code used to store information. In recent years, QR codes have become popular due to their ability to be scanned by smartphone cameras and utilized in apps.

QR codes can be programmed to open URLs, making it easier for users to visit websites and log in to accounts without having to type web addresses. But, inevitably, this technology has been hijacked by cybercriminals.

QR phishing, also known as “quishing,” is a new type of phishing attack where hackers use QR codes to redirect victims to malicious websites so they can infect their devices with malware or ransomware.

The goal of quishing is to steal information like login credentials, credit card numbers, or personally identifiable information for identity theft, fraud, or other nefarious purposes.

Is QR code phishing on the rise?

The ease of use associated with QR codes has prompted attackers to increasingly target victims through QR scams. Researchers predict that by 2025, roughly 99.5 million people will use their phones to scan QR codes, opening the door to even more scams.

Another reason this type of scam is on the rise is that QR codes often sneak through email security protections without being detected as fraudulent. 

How a quishing scam works

Quishing scams work by ensnaring victims to scan QR codes or click malicious links via email. Here’s how the scenario works.

1. The quishing email is sent

In some cases, hackers will send you a quishing email with a QR code and urge you to scan it to receive a free gift, collect a prize, or respond to a problem. Often, a scammer will pretend to be from a legitimate source to gain the victim’s trust. 

2. The user scans the QR code

A user receives an email and quickly reads it without realizing it is a scam. The user then scans the QR code with their mobile device. 

3. The user lands on a fake site

The QR code opens a web browser leading to a malicious website where the user enters personal information or their device is infected with malware (possibly spyware or ransomware).

4. The scammer wins

The scammer has now stolen your login credentials, along with any other information you entered. They may have infected your device, which they can now control or use to steal your additional information. 

Real-life examples of quishing scams

The number of ways a scammer could fool you is unlimited. However, be on the lookout for a couple of common real-life quishing scams like the following.

Netflix quishing scams

You get an email that looks like it’s from Netflix. It has the Netflix logo, along with the signature red color. The content says, “Your account has been suspended.” Before you turn on your TV to check to see if Netflix is working fine, you scan the QR code. The page you land on looks sort of like Netflix, and it asks you to log in to fix your account.

The problem is, you aren’t really on Netflix. You are on a fraudulent website. If you enter your username and password, the information will go straight to the scammers.

This common ploy is how hackers get ahold of Netflix accounts. They then lock the owner out by changing the password and then sell your account on the dark web. 

A screenshot of the Netflix main page.
Netflix is a trademark of Netflix, Inc.

FedEx quishing scams

Another compelling quishing attack starts with an email claiming to be from FedEx. The email states that the target’s package is being held at a shipping facility due to an incorrect mailing address. If the recipient has any packages on the way, they may panic and scan the QR code and visit the website.

The website that appears, however, is fraudulent. It has nothing to do with any actual deliveries and is designed solely to steal information or money. Any information the user enters in the hopes of ensuring delivery goes straight to the attacker.

A screenshot of a FedEx quishing attack.
FedEx is a trademark of Federal Express Corporation and FedEx Office Office and Print Services, Inc.

How to detect a QR code scam

Knowing how to detect a quishing scam is half the battle. Use these signs below to watch out for scams and avoid being caught.

Unsolicited QR codes

If you receive “too good to be true” offers or urgent emails that contain QR codes, do not scan them. Great offers don’t just walk through the door. Anyone offering you something unsolicited is probably a scammer.

Strange sources

Check to verify where the email came from. If, for example, an email claims to be from FedEx but the email address is a Gmail account, let that be a warning to you. 

A screenshot showing an example of a fraudulent email sent from a scammer.
Paramount+ is a trademark of Paramount Global.

Poor grammar

Check the spelling and grammar on any supposedly urgent emails you receive. A legitimate source would never send you an email riddled with misspellings. Additionally, scammers sometimes use domain names with slightly misspelled words, with the hope that it’s close enough to pass for the real thing (for example, Netflick instead of Netflix). Carefully examine everything. 

What to do if you fall victim to quishing

If you fall victim to quishing, don’t panic. You are not alone. Many people have fallen victim to online scams. If it happens to you, follow the steps below as quickly as possible:

  1. Immediately change your password for the potentially compromised account.
  2. Contact the company (e.g., Netflix, FedEx, etc.) and notify them of the fraud.
  3. Report the fraud to your local police and/or the Federal Trade Commission. 
  4. Keep a close eye on your bank and credit card accounts. Get a copy of your credit report and look for unusual activity. 

How to protect yourself from a QR code phishing scam

Quishing is just another type of scam perpetrated by hackers looking for free money. Use the tips below to stay safe from quishing and other types of scams. 

  • Never click links or scan QR codes in suspicious emails. If you get an email that alarms you, don’t click or scan anything. Instead, calmly contact the company by visiting their website and verifying anything you find in the email.
  • Always use long, strong passwords. In addition to using strong passwords, never give your login credentials out to strangers or use them on websites without first verifying the URL.
  • Never download from an unsafe site. Don’t download free software or use QR codes to get sample programs. They could be laced with malware. 

Scammers will never quit, so it is imperative that you educate yourself on the various ways they might try to trick you. Always be on the lookout for scams. By taking a few extra minutes to verify everything, you can avoid a lot of headaches later. 

Dawna Roberts Dawna Roberts
Dawna has spent her entire career in web dev, cybersecurity, and IT. Her work has been featured on Forbes, Adobe, Airtable, Backblaze, Cyberleaf, Lifewire, and other online publications for the past ten years.