Quishing (QR code phishing)

Quishing (QR + phishing) exploits the ubiquity of QR codes in physical and digital environments. A fraudulent QR code — placed over a legitimate parking meter, sent in an email, or posted in a flyer — directs the scanner's camera to a phishing website when scanned.

QR codes are attractive to attackers because: users typically cannot inspect the URL before scanning; mobile devices that scan them often have fewer security protections than desktop browsers; and physical placement on legitimate infrastructure (charging stations, parking meters, restaurant tables) lends credibility.

Signs of a compromised QR code include a sticker placed over the original code, and a URL that doesn't match the expected brand after scanning. Preview the URL before proceeding, and navigate to important services (banking, payments) directly rather than via QR code where possible.