Quishing is QR code phishing, a scam that hides a malicious link inside one of those square black and white codes you scan with your phone. The trick works because a QR code gives you nothing to read. You point your camera, a link appears for half a second, and you tap before your brain has a chance to ask where it goes. This post explains how QR code phishing works, what happens after you scan, and how to check a code before you trust it.
Why QR codes slip past your phishing instincts
Most people have learned to read a link before clicking it. You hover over the text, you check the domain, you notice that paypa1-support.com is not paypal.com. A QR code removes that whole step. The destination is encoded as pixels, not text, so there is nothing to inspect with your eyes.
Phones make this worse in a small way. The link preview that pops up after a scan is short, it disappears fast, and it often shows a shortened URL like bit.ly/xY3k9 that hides the real domain. You are also usually scanning in a hurry, standing at a parking meter or a restaurant table, holding your phone with one hand. That mix of no text to read, a tiny preview, and a rushed moment is exactly what an attacker wants.
Where attackers hide a malicious QR code
The code itself is cheap to make and easy to place. A few patterns show up again and again in QR code phishing:
- Stickers over real codes. A parking meter or an electric scooter has a legitimate QR code for payment. An attacker prints a sticker with their own code and presses it right on top. You scan what looks like the official code and land on their page instead.
- Flyers and posters. A flyer for a fake parking refund, a charity drive, or a free coffee promo gets taped to a lamppost. The whole flyer exists only to get you to scan.
- Emails and PDFs. A message claims your account needs reverification and tells you to scan a code with your phone to confirm. Routing you to a personal phone moves you off the corporate laptop and its filters.
- Fake invoices and packages. A code printed on a delivery slip or a parking ticket promises a fast way to pay a small fee.
Notice the common thread. The code is placed where scanning feels normal and where a small payment or a quick login seems reasonable.
What happens after you scan
A QR code is just a way to open a link. The danger is the page on the other side. There are three endings that show up most often.
The lookalike login page
You scan a code that claims to be your bank or your email provider. The page that loads looks right, with the correct logo and colors, but the address is wrong. Imagine scanning a code on a fake notice and landing on:
https://secure-acme-bank.account-verify.co/login
The real bank lives at acmebank.com. The lookalike puts the brand name in front of a domain the attacker owns, account-verify.co. Anything you type there, your username, your password, the one time code from your text messages, goes straight to them.
The payment scam
This is common on parking meters and fake invoices. The page asks for a small, believable amount, maybe a parking fee. You enter your card number to pay it. The charge is real, but it goes to the attacker, and now they hold your full card details for later.
The app or profile install
Some codes push you to install an app from outside the official store, or to add a configuration profile that changes your phone settings. Approve that and the attacker gains a foothold on the device itself, not just one account.
A QR code is a link you cannot read. Treat every scan the way you would treat clicking a link from a stranger, because that is exactly what it is.
How to check a QR code before you act
You do not need special tools. You need to slow down for five seconds and look at the right things.
- Read the preview URL before tapping. Most phones show the link first. Look at the domain, the part right before the first single slash. In
https://secure-acme-bank.account-verify.co/loginthe real domain isaccount-verify.co, not the bank. The brand words on the left mean nothing. - Be suspicious of link shorteners. A bare
bit.lyortinyurllink on a physical sign hides where you are going. A real business usually links to its own domain. - Check the sticker. On a meter or a poster, look for a code that is a sticker sitting on top of printed artwork, with edges peeling or colors that do not match. If it looks added on, do not scan it.
- Never enter a password reached only by a scan. If a code sends you to a login page, stop. Open the app or type the known web address yourself instead.
- Pay through the official app, not the code. For parking, use the operator’s own app or the phone number printed by the city. Skip the convenient square.
A quick way to read any URL
When you see a long link, find the first single / after the https:// part. The domain is the chunk just to the left of it. Read that chunk from right to left. The last two labels, like account-verify.co, are who actually owns the page. Everything before that, including a familiar brand name, can be set to anything the attacker wants.
How quishing fits the wider scam picture
Quishing is one delivery method in a larger toolkit. The goal is almost always the same: get a credential, a card number, or a code that unlocks an account. Once an attacker has a foothold, they can chain it into something bigger, like a SIM swapping attack that hijacks the text messages your accounts rely on for recovery. Physical access tricks rhyme with this too. The same instinct that makes you scan a stranger’s QR code is the one that makes you plug into a stranger’s USB port, which is the heart of juice jacking. The defense is the same in every case. Treat anything offered to you, a code, a cable, a text, as untrusted until you have a reason to trust it.
The pattern under all of these is the gap between what a system shows you and what it actually does. A QR code shows a clean square and does whatever its hidden link says. Closing that gap means checking the real destination before you act, every time. That habit of testing the thing instead of trusting the surface is exactly what we care about at UnboundCompute. If that idea is interesting to you, you can read more on our about page.
Frequently asked questions
What is quishing?
Quishing is QR code phishing. An attacker hides a malicious link inside a QR code, then places it on a flyer, a parking meter, an email, or a sticker pasted over a real code. When you scan it, your phone opens a lookalike page that tries to steal a login, a payment, or trust.
Why do QR codes slip past normal phishing instincts?
A QR code hides its destination. With a normal link you can read the address before you tap, but a square of dots shows nothing until your phone has already opened it. That gap is what quishing relies on, since people scan first and check later.
How do I check a QR code before acting on it?
Let your camera show the link preview and read the full address before you open it. Watch for odd spellings, extra words, or a domain that does not match the brand. If a code asks you to log in or pay, go to the site directly in your browser instead of trusting the code.
Where do attackers place malicious QR codes?
Common spots are stickers placed over real codes on parking meters and posters, codes inside phishing emails that dodge link filters, and fake parking or delivery notices. The physical version works because a sticker on public signage looks official.
What should I do if I scanned a quishing code?
If you only opened the page, close it and do nothing more. If you entered a password, change it right away and turn on app based two factor. If you entered card details, call your bank to freeze the card and watch for charges you did not make.
Put an autonomous researcher on your own systems
UnboundCompute is an autonomous security researcher that reasons about how an application fits together and proves the access control and injection bugs it finds. We are opening a small number of founding design partner seats: private early access pointed at a staging target you choose, a say in what it looks for, and founding pricing. If your team ships software worth pressure testing, apply to the design partner program.
