Quishing is a variation of classic phishing — but it uses QR Codes instead of fake links in emails. The scammer prints or pastes a malicious QR Code over the original and waits for you to scan it without thinking. The victim is redirected to a fake page for payment, login, or app installation.

Why has it grown so much? Because QR Codes have become a habit: restaurant menus, parking lots, bank slips, bus stops. That habit was the fertile ground scammers needed. According to 2024 and 2025 reports, quishing attacks have increased by more than 300% in two years — and most people still don't know the scam exists.


🔍 How the scam works

Quishing has three simple steps:

  1. QR Code replacement. The criminal prints a sticker with a fake QR and pastes it over the original — on parking meters, paper menus, printed bank slips, or even campaign posters.
  2. Invisible redirect. You scan it, your phone opens a URL. The page looks identical to the bank, parking service, or original service.
  3. Data collection or payment theft. You enter your ID number, password, or make a payment thinking you are paying the correct service. The money goes to the scammer's account.

Where attacks happen most

  • Parking meters and pay-and-display spots
  • Restaurant tables (menu/payment QR)
  • Physical bank slips with QR printed by third parties
  • Electric vehicle charging stations
  • "Download our app" posters in physical locations

The cruel detail: phones show a very small URL and many people don't read it before clicking "Continue".


🛡️ How to protect yourself

Follow these practices before scanning any QR Code:

Check the URL before acting

After scanning, read the full address before opening it. Domains like bank-secure.app or pix-payment.link are not official websites. Always verify the domain matches the company's known official address.

Be suspicious of payments via QR Code of dubious origin

  • Never pay via a QR Code printed on a loose piece of paper received via WhatsApp or email.
  • If the QR came from a parking lot, check that the sticker is intact — no bubbles, scratches, or overlays.
  • Prefer to generate your own payment QR from within your bank app.

Don't download apps via unknown QR Code

Posters saying "Download our app, scan here" are perfect attack vectors. Prefer searching for the app directly in the Google Play Store or App Store by typing the company name.

Physically check the sticker

On parking meters and restaurant tables, try lifting the corner of the sticker. A legitimate QR Code is usually printed directly on the equipment or on an official stand. Sticker over sticker is a warning sign.

Use the link preview

Most Android and iOS camera apps show the URL before opening it. Never skip that screen — it is your first line of defense.

Also read: Is QR Code safe? What you need to know to understand the general risks of using QR Codes in everyday life.


🏢 For businesses

If you use QR Codes at your physical locations, the responsibility to protect your customers is also yours.

Use dynamic QR Codes

Dynamic QR Codes let you change the destination without reprinting the code. This means that if someone pastes a fake QR over yours, you can immediately deactivate or redirect the original — and track access.

With the Code2Scan dynamic QR Code generator you control the destination URL, monitor scans by date, time, and location, and detect abnormal access spikes that may indicate your QR has been cloned.

Monitor scans

A legitimate restaurant QR Code has a usage pattern: lunch and dinner, weekdays and weekends. If you notice scans at 3 a.m. or from different cities, something is wrong. Use the analytics dashboard to detect anomalies.

See how to set up conditional redirect to block access outside business hours.

Protect with a password when necessary

For restricted-access QR Codes — internal documents, HR forms, intranet links — use password-protected QR Code. That way, even if someone scans it, they cannot access the content without the credential.

Use original and sealed materials

  • Print QR Codes on durable or laminated paper.
  • Use stands with fixed edges or screws — harder to overlay.
  • Physically inspect your QR Codes at each point of sale every week.
  • Consider including your company logo in the center of the QR — any substitution becomes visually noticeable.

❌ Common mistakes that make the scam easier

  • Scanning without reading the URL — the most frequent mistake. The preview exists, use it.
  • Trusting the page's appearance — fake pages are near-perfect copies.
  • Thinking "this won't happen here" — quishing attacks are growing globally.
  • Not updating the camera app — older versions may open the URL directly, without a preview.
  • Sharing QR Code photos via WhatsApp — the recipient doesn't know where the original came from.
  • Businesses that don't monitor their own QRs — without analytics, you don't know if your code has been compromised.

Also avoid the common QR Code mistakes that compromise the experience and security of your customers.


📋 Summary

  1. Quishing = phishing via a fake QR Code pasted over the original.
  2. The scam happens at parking meters, restaurants, bank slips, and posters.
  3. Before acting, read the full URL shown on your phone.
  4. Never make payments via QR Code of unknown origin.
  5. Don't download apps via QR Code — use the official store.
  6. Physically check for overlaid stickers.
  7. Businesses should use dynamic QR with monitoring to detect attacks.
  8. Protect sensitive content with password-protected QR Code.

Create dynamic QR Codes you control — monitor scans in real time, change destinations without reprinting, and protect your customers against quishing with Code2Scan.

Or, if you need a simple and quick QR, use our free QR Code generator.