What is 'quishing' and why is it suddenly showing up everywhere from parking signs to restaurant tables?
Quishing is phishing carried out through QR codes instead of clickable links. Scammers place fake QR codes in public places or send them in messages because phones often can't preview the destination, making it easy to redirect people to fraudulent sites.
Last reviewed: 5 July 2026
Explanation
QR codes became far more common after being widely adopted for menus, parking payments, and contactless check-ins, and scammers followed that adoption by producing their own fake codes designed to blend into the same everyday contexts. A quishing attack can involve a sticker placed over a genuine QR code in a public location, a fake code printed on a flyer or fake parking ticket, or a code embedded in an email or text message.
What makes quishing particularly effective is that most people have learned some caution around suspicious text links but far less around QR codes, partly because scanning a code feels like a physical, real-world action rather than a digital one, and partly because many phone cameras open the resulting link automatically or show only an abbreviated preview that's easy to misread. The destination is often a fake payment page, a fake login page, or a page that silently installs malware.
Before scanning any QR code in public or from a message, it's worth checking whether it looks tampered with, such as a sticker slightly misaligned over a machine or sign, and after scanning, carefully reading the full destination web address before entering any information, rather than trusting the page simply because it loaded after a scan.
Common red flags
- QR code sticker looks slightly misaligned or placed over what appears to be an original code
- Code appears in an unsolicited text or email asking you to 'verify,' 'pay,' or 'claim' something
- Destination web address doesn't match the organization the QR code claims to represent
- Page asks for payment or login details immediately after scanning with little other content
- QR code found in a location where it doesn't otherwise fit the surrounding official signage
- Urgency or an unusually good offer displayed on the page the code leads to
What to do now
- Check a QR code for signs of tampering, such as a sticker over an existing official code, before scanning
- Read the full destination web address after scanning before entering any information
- Avoid scanning QR codes from unsolicited texts or emails altogether
- Use a manually typed, known web address instead of scanning when paying for something like parking
- Report suspicious or tampered QR codes to the venue, business, or authority responsible for the location
- If you entered details on a fake page, change any reused passwords and contact your bank if payment information was involved
Frequently asked questions
Are QR codes inherently unsafe to use?
No, most QR codes are legitimate and safe, but the format hides the destination until after scanning, which scammers exploit. Caution should be applied similarly to how you'd treat an unfamiliar text link.
How can I check a QR code's destination before committing to anything on the page?
Most phones show the link preview briefly before opening it fully — read this carefully, and once on the page, check the full address bar rather than assuming the page is legitimate just because the code scanned successfully.