Skip to content
All guidesGuide

Quishing (QR-code phishing)

Scammers replace or plant QR codes - on parking meters, letters, emails, restaurant tables - that lead to a fake payment or login page. Because the destination is hidden inside the code, you cannot see where it really goes until it is too late.

Reviewed by Florian Wartner · Last updated

How the scam works

Quishing is phishing using a QR code instead of a clickable link. You scan a code - printed on a letter, stuck on a parking meter or charging station, or embedded in an email - and your phone opens a website that looks like a real login or payment page.

The page is fake. Anything you enter, such as bank logins or card details, goes straight to the scammer, while the page may then forward you to the genuine site so nothing seems wrong.

Why it works and who is targeted

A QR code hides its destination, so you cannot see the web address before scanning the way you can hover over a link. People also tend to trust codes on official-looking letters or in public places like car parks.

Because the code opens on your phone, the usual warning signs are harder to spot on a small screen, and security filters that catch bad links in email may not inspect an image of a QR code. Anyone who pays for parking, expects official mail, or banks online can be targeted.

Warning signs in detail

Be cautious of a QR code that leads to a login or payment page, especially when the address shown after scanning is a lookalike domain or a shortened link you cannot read. On physical objects, watch for a sticker placed over an original code, which is a common tampering trick.

Unexpected codes in emails or letters that pressure you to verify an account or pay a fee urgently deserve the same suspicion as any phishing message.

How to protect yourself

After scanning, check the full web address before entering anything, and never log in or pay through a page reached only via an unexpected QR code. For tasks like paying for parking or banking, open the official app or type the address yourself instead.

Inspect physical codes for stickers placed on top, and treat QR codes in emails as you would any link - with caution. If you entered details on a fake page, contact your bank to block the card and change any passwords you exposed.

Warning signs

  • A QR code in an unexpected email or letter asking you to log in or pay.
  • A sticker QR code placed over the original on a machine or poster.
  • The scanned link goes to a domain unrelated to the brand.

Example

Your parcel is on hold. Scan the QR code to verify your address and pay the EUR 1.99 redelivery fee.

Made-up example - not a real message.

How to protect yourself

  1. 01Preview the URL before opening it, and check it matches the real brand.
  2. 02For payments, use the official app instead of scanning a code you were sent.
  3. 03Be suspicious of QR stickers in public places.

Already caught out?

  1. 01If you entered card or login data, block the card and change the password.
  2. 02Report the location of a tampered QR code to the operator.