Quishing is the QR-code version of phishing. The attacker builds a QR code whose URL points to a fraudulent site, then slips it onto a parking meter, into an unsolicited package, at the foot of an email, or on a public poster. The victim scans without suspicion, lands on a page imitating the targeted brand, and types in credentials or banking details. The technique has exploded since 2023, to the point that the FBI's Internet Crime Complaint Center (IC3) issued a public alert in 2025 about unsolicited packages containing QR codes used to initiate fraud schemes.
On the defensive side, two questions keep coming up: how does an end user recognize a suspicious QR, and how does a business protect its own campaigns so a fraudster cannot divert traffic from one of its supports? This article covers both, with a comparison table of the most common scams, a reflex checklist on the user side, and an action plan on the marketing or IT side.
If you are new to QR codes in general, see What is a dynamic QR code exactly? first. To understand why a QR may suddenly stop working without being malicious, go straight to .
What quishing is exactly
The word "quishing" combines QR and phishing. The mechanism mirrors classic phishing: lure a victim onto a page that impersonates a trusted service to harvest credentials or banking data. The difference is the delivery channel: instead of a link in an email, the trap is a physical or printed QR code.
That shift from click to scan has a perverse effect. On a phone, the user sees the destination URL less clearly than on a desktop. Email-security filters that analyze links do not read the QR matrix: an email containing only an image with an embedded code passes inspection. Once on the fraudulent page, the session unfolds on the personal phone, outside corporate IT protections.
According to the FBI's IC3 advisory, fraudsters have escalated to mailing unsolicited packages that include "verification" QR codes prompting recipients to type personal or financial information.
How it works technically
Three steps, low resources.
Preparation. The attacker buys a domain that resembles the target (secure-payment-bank.com instead of bank.com), builds a visually imitated landing page, then generates a QR pointing to that domain. The QR can be static or dynamic: static is faster to produce, dynamic lets the attacker rotate the target mid-campaign to evade blocklists.
Diffusion. The QR is printed on stickers stuck over the official QR on a parking meter, restaurant menu, or charging point. Digital variant: an email with the QR as an image, sometimes wrapped with "Activate your new card by scanning the code attached". Another variant the FBI flagged in 2025 is the unsolicited package mailing containing a "verification" QR.
Exploitation. Once the victim is on the fake page, two scenarios: direct credential capture (login + password + 2FA) or download of malware that installs on the phone. On Android, installation is technically possible if the user authorizes third-party sources. On iOS, the attack typically caps at credential theft via a fake web page.
Most common quishing techniques in 2026
| Technique | Support | Targeted user | Detection tell |
|---|---|---|---|
| Parking-meter sticker | Street furniture | Hurried drivers | Misaligned sticker, glued over another |
| Fake menu QR | Restaurants, bars | Seated customers | Removable sticker, not integrated to the printed menu |
| Email with embedded QR | Work inbox | Remote employees | Urgency-styled message, unusual sender |
| Unsolicited postal package | Physical mail | Individuals | Unexpected "gift", asked to scan to "validate" |
| Hijacked public signage | Stations, transit | Travelers | QR pasted over another, not in operator's brand |
| Payment terminal | Contactless terminals | In-store buyers | Recent sticker on the terminal, contrasting with wear |
How end users protect themselves
Four reflexes beat any antivirus.
Read the URL before opening. Most recent smartphones display the URL in a bottom notification after a scan. If the address does not exactly match the expected domain (with a subtle variation, an extra dash, a typo), do not open.
Beware of double-layer stickers. On parking meters, restaurant menus and public terminals, a recent sticker glued over another is signal #1. Official QRs are integrated to the printed support, never added by hand.
Never type credentials after an unsolicited scan. A bank, a public service or a telecom operator will never ask you to "verify your credentials" via a QR received by mail or email. If in doubt, open the official site manually in the browser without going through the QR.
Block auto-downloads. Enable the download confirmation prompt and refuse install of applications outside the official store. That cuts most mobile malware.
How businesses protect their own campaigns
For a brand distributing QR codes on print, the risk is different: a fraudster can hijack your traffic by sticking a fraudulent sticker over your official QR. The visitor scans believing they are reaching you, lands on a knock-off page, and associates that bad experience with your brand.
Five concrete measures strongly reduce exposure.
Favor dynamic QR on a domain you control. If you detect a fraudulent campaign, you can flip the target to an alert page in two clicks without reprinting supports. See Dynamic vs static QR code: how to choose for the technical detail.
Print QRs integrated to the visual, not as added stickers. A QR that is part of the paper (or the enamel plate) is much harder to credibly sticker-over than a removable sticker.
Add a visual authenticity marker: centered logo, "Scan our official QRs" frame, reference URL printed in clear under the code. A customer who sees the official URL can spot the scam when the URL displayed by their phone differs.
Monitor analytics on your dynamic QRs. A sudden drop in scans on a physical support can signal a fraudulent sticker diverting traffic. Conversely, a spike of scans outside the expected geographic zone is suspicious. A platform like RankQR shows the city and device of each scan in real time, allowing you to spot a hijack well before customer complaints reach you.
Train field teams (cashiers, hosts, servers) to visually inspect their QRs several times a day. Five seconds per support is a negligible operational cost compared to a reputation crisis.
What to do if you scanned a malicious QR
Three steps, in this order.
- Stop any input in progress. Close the page without submitting the form. Do not validate a payment, do not confirm 2FA.
- Change the passwords of potentially affected accounts (bank, email, social media), from another device considered safe.
- Report the incident to your bank, the relevant authority (FTC in the US, ANSSI / Cybermalveillance in France, Action Fraud in the UK) and your IT security team if it happened on a work device.
If a download occurred, scan the phone with a recognized mobile antivirus and uninstall any application that appeared recently and is not identified.
Why a QR may suddenly stop working
Not to confuse with an attack: a QR can stop working for mundane reasons. Expired redirect domain, cancelled platform subscription, target moved without redirect, physical sticker damage. Four causes cover 90% of cases, detailed in . The lifetime of a dynamic QR depends directly on the lifetime of its hosting subscription, covered in .
FAQ
What is quishing?
It is QR-code phishing. The attacker builds a QR pointing to a fraudulent page, distributes it on street furniture, in an email or by mail, and harvests credentials from victims who scan.
How do you tell if a QR code is malicious?
Check the URL displayed by the phone before opening the page. Any domain that does not exactly match the expected service, contains typos or resembles a suspicious variation should be treated as dangerous. A QR stuck as a sticker over another is also a strong signal.
Can a QR code install a virus on my phone?
Indirectly. The QR does not contain the virus itself but can redirect to a page that attempts a download. On Android, installation is possible if the user authorizes third-party sources. On iOS, the attack typically caps at credential theft via a fake page.
What to do if I scanned a suspicious QR code?
Immediately close the page, type nothing, change the passwords of affected accounts from another device, and report the incident to the relevant authority.
Can a business protect itself from a fraudulent QR pasted over its supports?
Yes, by favoring dynamic QR (to flip the target to an alert page), printing the QR integrated into the visual rather than as a removable sticker, monitoring analytics, and training field teams to visually inspect supports.
Conclusion
Quishing has become a mainstream technique, and the gap between an official QR and a fraudulent one is not always visible to the naked eye. On the user side, four reflexes suffice: read the URL, hunt double-layer stickers, refuse credential prompts after an unsolicited scan, block auto-downloads. On the business side, switching to dynamic, integrating the QR into the printed visual, monitoring analytics and training field teams cut the risk to a manageable level.
For neighboring technical questions: details the most common scam variants, and explains why a QR can go dark without any attack involved.