Back to blog
Security
quishing qr phishing security

Quishing (QR Phishing): The Hidden Danger Behind a Scan

May 12, 2026
Share:
Quishing (QR Phishing): The Hidden Danger Behind a Scan

From restaurant menus to parking meters and billboards, QR codes are everywhere. They are incredibly convenient, but this convenience has created a new, stealthy attack surface: Quishing (QR Phishing).

Unlike a text link where you can read the URL before clicking, a QR code is unreadable to the human eye. You don’t know where it will take you until you scan it, and therein lies the danger.

How does a Quishing attack work?

The most common, and surprisingly simple method, involves placing fake stickers over legitimate QR codes.

Imagine arriving at a parking meter to pay for your spot. You scan the QR code printed on the machine, enter your credit card details, and walk away feeling secure. What you didn’t know is that a scammer pasted their own QR code over the original one, sending you to a fake website that cloned the official portal.

You just handed your card details to a criminal.

Where do scammers attack the most?

  • Parking meters and EV charging stations: Where users expect to make a quick payment.
  • Restaurant menus: Inserting fake codes on tables to steal credit card data.
  • Emails (MFA Bypassing): Sending fake corporate emails asking employees to “scan the code to update their security settings,” effectively bypassing the company’s anti-spam filters.

How to protect yourself from Quishing

  1. Physical inspection: Before scanning a code in a public place, run your finger over it. Does it feel like a sticker placed over the original material? Don’t scan it.
  2. Review the URL: When you scan a QR code, your phone will show you a preview of the web address before opening it. Read it carefully. If it looks suspicious or doesn’t match the business you are in, don’t open it.
  3. Don’t download apps via QR: Unless you are absolutely certain of the source, search for the app directly in the App Store or Google Play.

Golden Rule: Technology makes life easier, but manual verification keeps it secure. Use CheckLink.io to verify any suspicious link a QR code directs you to before entering your data.

Did you find this helpful? Share: