Quishing Guide: Protecting Yourself from QR Code Phishing Scams

What is “Quishing” and How Does It Work?

“Quishing” is a form of phishing where attackers use QR codes to redirect victims to malicious websites or to download harmful software. Fraudsters demonstrate ingenuity, making these stickers as appealing and provocative as possible. For instance, they might accompany a QR code with messages like: “John, I know you’re cheating on me, here’s the proof!” or “Your fine is unpaid, click here to avoid arrest!” Such messages evoke curiosity, panic, or a false sense of urgency, prompting individuals to scan the code without considering the consequences.

After scanning the QR code, the user is typically redirected to a fake login page for a social network, a banking application, or even a site that automatically downloads malware onto their device. The objective remains the same: to steal personal data, logins, passwords, banking information, or to infect the device with a virus.

The Scale of the Threat: Alarming Statistics

Data indicates that “quishing” is not a hypothetical threat, but a rapidly growing problem. The number of reported QR code attacks shows a striking increase.

According to Hoxhunt, a cybersecurity company, 22% of all phishing attacks today utilize QR codes. However, even more concerning is that only 36% of employees are capable of detecting such an attack. This means that a majority of people are unaware of the risks and can easily fall victim to “quishing.”

Here are some specific data points:

• According to Recorded Future reports, mentions of QR code phishing increased by 433% between 2021 and 2023. Notably, company executives faced QR code attacks 42 times more frequently than average employees in the second half of 2023.
• ReliaQuest reported a 51% increase in QR code phishing attacks in September 2023 compared to cumulative data from January to August of the same year.
• Keepnet reported over 8,000 “quishing” incidents over three months (related to June 2025), with a peak at 5,063 monthly registered cases. Analysis also showed that nearly 2% of all scanned QR codes were malicious.
• According to Egress, the proportion of QR codes in phishing attacks rose from 0.8% in 2021 to 12.4% in 2023, stabilizing at 10.8% in early 2024.
• According to CBC News, in Canada, cases of fake QR codes being placed on parking meters in Montreal and Ottawa have been recorded. The Royal Canadian Mounted Police (RCMP) in Red Deer, Alberta, also warned residents about QR code scams leading to malware.

This data clearly indicates that malicious actors are actively employing this method, recognizing its effectiveness.

Why is “Quishing” So Effective?

“Quishing” bypasses traditional security measures for several reasons.

Firstly, there is evasion of standard filters: most anti-phishing programs and email filters are configured to analyze text and links, but they are unable to “read” images. A QR code embedded in a PDF document or printed on a sticker can pass undetected by these defenses, making it an ideal tool for covert delivery of malicious links.

Secondly, there is mobile device vulnerability: individuals scan QR codes with their smartphones. While corporate computers typically have robust security systems, personal mobile devices often lack adequate antivirus software or corporate security settings. This makes smartphones an easy target for attackers, enabling them to directly impact users outside a protected corporate environment.

Finally, the psychological factor plays a significant role: provocative messages, the use of well-known company or government logos, and a sense of anonymity (scanning in public) reduce the victim’s vigilance. All these factors combined make “quishing” an extremely effective tool for cybercriminals.

Mass media, television, and even social networks warn about the dangers of quishing. Unfortunately, this has had virtually no effect. 

How to Protect Yourself from “Quishing”?

Protecting yourself from “quishing” is straightforward if you follow a few basic rules:

1. Be vigilant with QR codes, especially in public places. The main rule is to never scan random QR codes, particularly in public spaces. If you see a QR code sticker on a lamppost or wall, approach it with suspicion. Fraudsters frequently place their stickers over existing ones or on inconspicuous surfaces.
2. Preview links beforehand. Most QR code scanners display the URL you will be redirected to before opening it. Always check this address. Ensure it is a familiar and secure domain. Pay attention to the presence of HTTPS at the beginning of the URL – this indicates a secure connection, but it does not guarantee the site’s safety, as fraudsters can use HTTPS on their fake sites. Look for typos in the domain name or suspicious characters. For example, instead of “bank.com,” it might be “www.google.com/search?q=banc.com” or “bank-login.xyz.”
3. Use only official applications. If a QR code prompts you to download an application, always search for it in official app stores (Google Play Store for Android or Apple App Store for iOS) rather than following the link from the QR code. However, as practice shows, even reputable app stores do not always guarantee that their products are verified. The only truly safe place to download an application often turns out to be the official project websites.
4. Secure QR Code Scanning Apps. Use QR code scanning apps with security features like URL filtering to detect malicious codes.
5. Endpoint Security Solutions. Enhance mobile device security with comprehensive endpoint security solutions and MDM systems.
6. Report suspicious stickers. If you discover a suspicious QR code sticker in a public place, report it to local law enforcement or utility services if possible, so it can be removed.

“Quishing” has become a serious threat that demands increased vigilance. Curiosity and carelessness can lead to significant financial losses. Never forget that there is no such thing as a free lunch.

Be cautious, verify information, and share this knowledge with your loved ones to collectively counter new forms of cybercrime.