Quishing: What is QR Code Phishing and How to Fight Back

QR codes became part of everyday life during and after the COVID pandemic. Restaurants replaced paper menus, parking meters offered contactless payments and public services adopted scan-to-access systems. It was convenient, and convenience became habit. But that shift also created a new way for fraudsters to operate, specifically through a practice called “quishing”.

What is quishing? 

Quishing is phishing via QR code. In this scheme, QR codes are used to redirect victims to malicious websites designed to steal payments, credentials, or financial information. Unlike traditional phishing emails, quishing often originates in physical spaces, on parking meters, posters, or street signage, making it harder to detect. Since it is both effective and cheap to implement, quishing is growing in popularity. QR codes are inexpensive to produce, easy to distribute, and difficult to monitor once placed in public spaces, with detection often occurring only after victims report fraudulent transactions.

How quishing works

A typical quishing attack begins with a QR code that appears legitimate but takes you to a malicious link. The fraudulent URL is usually hidden inside a QR image, often printed on a sticker placed over a parking meter, embedded in a PDF, or stuck to a poster. You scan something that looks legitimate, land on a convincing fake payment page, enter your card details. In some cases the site even processes a small payment to avoid suspicion while harvesting credentials in the background.

The physical placement of the QR code plays an important role. A QR code on a parking meter, for example, carries an implicit endorsement from the surrounding infrastructure. People are in a hurry, the context feels official, and scrutiny drops. 

Quishing cases in Europe

In 2025, QR-based scams were reported across multiple European countries.

In Málaga, Spain fraudsters placed counterfeit QR stickers directly over the real codes on parking meters. Drivers paid, or thought they did, while funds and sensitive credi card details went to criminals. 

Similar scams turned up in the UK. The Guardian reported warnings about fake QR codes on parking machines pointing to spoofed payment pages. The scams relied on slight domain variations and convincing design to avoid suspicion. Many users did not manually type the URL or verify the domain; the scan itself was treated as proof of legitimacy.

The Financial Times made the broader point: as QR codes spread into payments and ticketing, attackers follow.

Back in October 2024, the Financial Times had expanded the discussion beyond individual parking scams, pointing to the broader implications of QR-based phishing as part of the evolving fraud ecosystem. As businesses and public services integrate QR codes into payments, ticketing and authentication processes, attackers have learnt to exploit this trust channel. 

Why quishing is a domain problem in disguise

At first glance, quishing appears to be a QR-code problem. In reality, the QR code is only a delivery mechanism. The vulnerability lies not in the QR technology itself, but in the infrastructure behind it.

Every malicious QR code resolves to a web address. That domain is where credential harvesting, payment interception, and malware delivery occur. Fraudsters register convincing lookalike sites fast, often hours before an attack, and take them down just as quickly after being reported.

Several recurring patterns emerge in quishing campaigns:

• Newly registered domains created days or hours before the attack.
• Brand-spoof domains that resemble official operators but include subtle misspellings.
• Homograph attacks, where visually similar characters are substituted to evade casual inspection.
• Short-lived hosting setups designed to disappear quickly after detection.
• Frequent ASN or hosting changes to avoid reputation tracking.

These signals are not unique to QR-based scams. The same infrastructure tactics appear in fake e-commerce shops, investment scams, and merchant fraud schemes. What changes is the entry point. Instead of clicking on a phishing email, the victim scans a code in a trusted physical environment, which is what makes quishing particularly effective. The QR code shifts attention away from the destination domain. Users focus on the convenience of the scan rather than the legitimacy of the website that loads. On mobile devices, the full URL may not even be visible without deliberate inspection.

What emerges is that quishing is really a domain trust problem. Attackers win because the fake site looks credible long enough for you to hand over your details.

How to fight back: deep online due diligence in real time

The same principles used to detect fake online businesses in other contexts apply to quishing attempts as well. 

As outlined in Trustfull’s guide on identifying fake businesses online, scrutiny of the domain is often the fastest way to uncover deception. If quishing succeeds at the domain level, defense must begin there as well. 

Deep online due diligence on a specific web domain examines the infrastructure behind a website, including domain age, registration patterns, hosting history, certificate metadata, and brand impersonation signals, to determine whether the destination behaves like a legitimate operator or a short-lived fraud setup. 

Whether performed manually or through automated domain intelligence systems, several checks can help detect suspicious QR destinations instantly:

• Examine the full URL carefully before entering any details.
• Check whether the domain matches the official brand exactly.
• Look for subtle spelling variations or additional words in the domain name.
• Verify that the site uses a legitimate and expected certificate issuer.
• Observe whether the page redirects through multiple unfamiliar domains.

In many cases, a simple domain age check would reveal that the site was registered days earlier, a strong signal that it is not a long-standing municipal or corporate operator.

Practical advice for end users

Users should avoid entering payment details immediately after scanning a QR code in public. Whenever possible, it is safer to use the official mobile app already installed on the device rather than a web page reached through a QR scan. Established apps reduce exposure to spoofed domains and impersonation tactics.

Ultimately, quishing depends on a brief window of trust. Reducing that window, even by a few seconds of inspection, can disrupt the attack.

FAQs

What is quishing, and how is it different from traditional phishing?
Quishing is a phishing attack that uses QR codes to redirect victims to malicious websites. Unlike email phishing, the malicious link is hidden inside a QR image and often appears in trusted physical environments.

Why has quishing increased in recent years?
QR code adoption expanded significantly after the COVID pandemic across payments, menus, ticketing, and public services. This widespread familiarity created new opportunities for attackers to exploit scan-based trust.

Can security software detect quishing automatically?
Traditional email filters may not detect malicious URLs embedded inside QR code images or PDFs. Detection often depends on domain intelligence and real-time infrastructure analysis rather than visible link inspection.

What are the warning signs that a QR code might be a scam?
It is good practice to check the URL for spelling variations, multiple redirects or strange graphic cues, before entering anything. On the physical side, look for QR stickers that appear to have been placed over the original code on parking meters or signage. And when in doubt, skip the QR code entirely and use the official parking app or find the relevant site through a search engine instead.

Is quishing only a consumer threat?
No, the same domain impersonation tactics used in quishing also appear in ecommerce fraud, investment scams, and merchant onboarding fraud. Organizations face similar risks when verifying digital identities and business legitimacy.

Follow Trustfull on LinkedIn for insights into emerging fraud threats and the intelligence strategies that help spot them early.