How the scam works
Quishing is phishing using a QR code instead of a clickable link. You scan a code - printed on a letter, stuck on a parking meter or charging station, or embedded in an email - and your phone opens a website that looks like a real login or payment page.
The page is fake. Anything you enter, such as bank logins or card details, goes straight to the scammer, while the page may then forward you to the genuine site so nothing seems wrong.
Why it works and who is targeted
A QR code hides its destination, so you cannot see the web address before scanning the way you can hover over a link. People also tend to trust codes on official-looking letters or in public places like car parks.
Because the code opens on your phone, the usual warning signs are harder to spot on a small screen, and security filters that catch bad links in email may not inspect an image of a QR code. Anyone who pays for parking, expects official mail, or banks online can be targeted.
Warning signs in detail
Be cautious of a QR code that leads to a login or payment page, especially when the address shown after scanning is a lookalike domain or a shortened link you cannot read. On physical objects, watch for a sticker placed over an original code, which is a common tampering trick.
Unexpected codes in emails or letters that pressure you to verify an account or pay a fee urgently deserve the same suspicion as any phishing message.
How to protect yourself
After scanning, check the full web address before entering anything, and never log in or pay through a page reached only via an unexpected QR code. For tasks like paying for parking or banking, open the official app or type the address yourself instead.
Inspect physical codes for stickers placed on top, and treat QR codes in emails as you would any link - with caution. If you entered details on a fake page, contact your bank to block the card and change any passwords you exposed.