What is quishing? QR code phishing explained

Have you received a strange email asking you to scan a QR code to unlock a great deal? Beware – instead of an amazing special offer, you may be getting scammed. QR code phishing attacks, known as “quishing,” are on the rise as cybercriminals look for new ways to steal your data or infect your device with malware.
Learn the signs of quishing so you can steer clear of QR code fraud!

by Alyssa Schmitt
Man looks at smartphone with concerned experssion
Think twice before scanning an unknown QR code - it could be a scam.

What is “quishing”?

The word “quishing” may sound all cute and squishy, but quishing is something to take seriously. A combination of the words “QR code” and “phishing,” it means scamming people with a phishing email that contains a QR code.
Bonus explainer: What is a QR code?
Are you asking yourself “QR-what?” For an explainer on QR codes, see: What does QR stand for and how to use a QR code

What does a quishing attack look like?

Like a “regular” phishing email, a quishing email is designed to trick you into falling for a scam. The scammers may be to trying to steal passwords or other personal data or to infect your device with malware. The email itself will imitate a trusted sender like your bank or a reputable ecommerce platform. It will try to create a sense of urgency by claiming there is a problem with your payment or a limited-time special offer, so you have to act now. But instead of a link for you to click, a quishing email will contain a QR code that you are supposed to scan ASAP.
Pro tip: Protect yourself from phishing
Need a refresher on phishing scams and how to avoid them? See our explainer Phishing emails: How to protect yourself

What happens if you scan a fraudulent QR code?

In a quishing email, the QR code serves the same purposes as a malicious link in a classic phishing mail. If you scan it:
  1. You might be redirected to a phishing website: Scammers have grown increasingly skilled at imitating the homepages of legitimate organizations. When you see the familiar page and logo, you might think nothing of entering the requested personal data, such as your address and telephone number, credit card number, and banking PIN. But all of this information goes to the cybercriminal, who can use it for e.g., financial fraud or identity theft.
  2. Your device might be infected with malware: The QR code could be set up to automatically start a download when you scan it. The content might be malware, ransomware, spyware, etc.
  3. You might be asked to enter login data for an online account: The QR code may a fake login window that asks for your username and password. For example, the quishing email claims there is a problem with your Amazon delivery and asks you to scan the QR code to log in and correct the issue. If you do so, the scammer now has your Amazon password and can access that account.

Why are criminals turning to QR code phishing scams?

Many cybersecurity experts have reported an uptick in quishing and QR code fraud in 2023. This is because, from a criminal point of view, quishing offers some advantages over conventional phishing. First off, most of us now know better than to click on a sketchy link in an email and are aware how to check if a URL is safe. But QR scams are not as well known, so it can be easier to trick people with them.

Fraudulent QR codes can also more easily circumvent our digital security systems: the QR code is attached as an image file, which is not classified as a threat. And finally, even if you receive the quishing email on your computer, scanning the code forces you to move to your mobile device, which often has weaker antivirus and anti-phishing protections.

How to stay safe from quishing

Here are five things you can do to avoid the dangers of QR code phishing:
  1. Never, ever scan a QR code in an email from an unfamiliar sender.
  2. Familiarize yourself with the signs of a phishing email – e.g., a sense of urgency, small mistakes in the email and the sender address – and never click on links or scan QR codes if anything “feels off.”
  3. When you scan a QR code on your phone, a preview of the URL will pop up. Don’t click on any unfamiliar or shortened links, and look for slight misspellings in familiar names, e.g. mall.com instead of mail.com.
  4. If the QR code takes you to a page that asks for your login credentials, never enter them there. If you think there might be a legitimate concern with a purchase, delivery, or online account, visit the company’s website directly in your browser or call the business by phone.
  5. Follow security best practices: Use strong, unique passwords for all your online accounts and keep your devices and software up to date.
Good to know: QR code fraud is not just for emails
Since the COVID pandemic, when legitimate businesses started using QR codes for contactless transactions, a lot of people don’t give a second thought to scanning them. Unfortunately, scammers are taking advantage of this by putting up fraudulent QR codes in public places, e.g. on parking meters, and tricking people into entering their payment information. For more information, see this Better Business Bureau scam alert.

We hope this post will help you steer clear of quishing and other QR code scan scams. Please leave us some feedback below! And if you still don’t have a free mail.com email, why not create an account today?

Images: 1&1/ GettyImages

208 people found this article helpful.

Related articles

Unsubscribe email scam: How to protect yourself

Ask the expert: How to protect yourself from spam and phishing

The “Hi Mom!” phishing scam: How to recognize and avoid it