🌿QRMint

What is Quishing? QR Code Phishing Explained

A growing attack vector that bypasses email filters by hiding the malicious URL inside a picture.

Last updated: 2026

Quishing — short for "QR phishing" — is one of the fastest-growing cybercrime techniques. Attackers paste fake QR stickers over real ones (parking meters, restaurant menus, EV chargers) or send QR codes by email, knowing scanners do not show the destination URL until you tap. This guide explains how the attack works, the warning signs, and the role of static QR transparency in defending against it.

bank.example.com/login
Legitimate
bank-secure-login.top/phish
Phishing

Step-by-step Guide

1

How quishing works

The attacker generates a QR code that points to a phishing page (a fake bank login, a fake parking payment form). The QR is then placed over a legitimate one, mailed on a fake invoice, or attached to an email.

2

Why it bypasses email filters

Most email security tools scan URLs in the body. A QR is just an image, so the URL is invisible to filters. The user "decrypts" the URL by scanning, on a personal device that often has weaker protections.

3

Real-world examples

Fake parking meter stickers in U.S. cities, fake restaurant tip QR codes, fraudulent shipping notification emails, and fake EV charger payment QR codes have all been documented in 2024–2025.

4

Spot the warning signs

A QR sticker that looks freshly applied over an older surface, a QR in an unexpected email, a QR that resolves to a domain that does not match the brand, or a QR asking you to log in immediately — all are red flags.

5

Use scanner apps that preview the URL

iOS Camera, Google Lens, and most reputable scanner apps show the URL before opening. Always read it. If the domain is unfamiliar or uses tricks like rn instead of m, do not tap.

6

Static QR transparency for businesses

For your own QR codes, prefer static QR codes that point directly to your real domain. There is no redirect for an attacker to hijack, and security teams can verify the destination by scanning a single sample.

Try it now

Create QR code →

Tips & Best Practices

  • Train staff and customers to read the URL preview before tapping any QR.
  • For physical QR signage, laminate or print on tamper-evident material so stickers are visible if applied on top.
  • Periodically scan your own deployed QR codes to verify nothing has been replaced.
  • Static QR makes audits dramatically easier — there is only one URL ever, and it is visible in any scanner.

FAQ

Can a QR code itself be a virus?
No. A QR is just encoded text (usually a URL). The danger is what happens after you tap the URL — a phishing page or malware download.
Is iOS or Android safer for scanning QR codes?
Both show the URL preview in their built-in camera before opening. The user still has to read it. Neither OS will block a phishing page on its own.
Are dynamic QR codes more vulnerable to quishing?
They can be — if the dynamic QR provider is compromised, every code routed through it could be redirected. Static QR codes have no such single point of failure.
What should I do if I scanned a phishing QR?
Close the page immediately, do not enter credentials, change passwords if you typed any, and report the QR to the venue or to your IT/security team.

Related Pages

Dynamic QR PrivacyQR Generator ScamsCreate a Trusted Static QRHow to Create a QR Code for FreeHow to Create a QR Code for Business CardsDynamic vs Static QR Codes