Warning: Malicious QR codes ('quishing') in emails and on stickers
Scammers are placing fake QR codes in emails, on posters, and over legitimate stickers in public places to redirect people to phishing or payment-harvesting sites.
QR code phishing — sometimes called quishing — involves replacing or overlaying a legitimate QR code with one that points to a malicious site. In the physical world, stickers bearing fake codes have been found on parking meters, restaurant tables, EV charging points, and promotional displays. In digital form, malicious QR codes appear in emails impersonating banks, courier services, and government agencies.
Because most people cannot visually inspect where a QR code leads before scanning, the technique sidesteps link-based email filters and the habit of hovering over URLs. After scanning, victims land on convincing-looking pages that harvest login credentials, card details, or personal information.
Always check whether a physical QR code sticker looks tampered with or placed over another label, and preview the URL your device shows before proceeding.
What to do
- Pause before scanning — check if a physical sticker looks placed over another
- Preview the URL shown after scanning before opening it
- Do not enter payment or login details on a page reached by QR code in an unsolicited email
- Use official apps rather than QR codes for parking, payments, and services where possible
- Report suspicious QR codes on public infrastructure to the venue or authority