QR code phishing attacks (Quishing): What to know and how to stay secure

If you immediately think of email when you think of phishing, you’re not alone. However, a new form of a text-based scam is making waves – highlighted by a seemingly legitimate text from the USPS which lets receivers know that their “package” arrived at the warehouse. To receive the package, it instructs users to click on a link to enter their information for delivery. 

This is just one of many examples of an attempt at a phishing attack – a kind of scam where attackers attempt to get users to reveal personal information – such as login credentials, credit card numbers or Social Security numbers – or to trick users into taking an action, such as downloading malware or sending money. Due to the relatively low cost and high success rate, phishing attacks are the most common way online accounts are breached today.

While most phishing attacks come by email, including deceptive links or attachments, others are sent by text message – like the one mentioned above – or even a telephone call. Phishing attacks can look like real emails, messages or websites from familiar brands; in fact, 44% of people think an email is ‘safe’ if it comes from a trusted brand. 

Now, another new kind of phishing attack is on the rise and it’s coming from an unexpected source: QR codes. 

What are QR codes and how are they used for phishing?

QR codes are a type of barcode displayed in a square-shaped grid that can be read by a camera, typically on a smartphone. QR codes can store plain text or links to download an app, access product information or a menu, send or receive a payment, join a Wi-Fi network, log into an account (e.g. loyalty program) or support mobile ticketing, just to name a few.

In 2022, 83.4 million US smartphone users scanned a QR code, a figure expected to reach 99.5 million in 2025. Unsurprisingly, as QR codes grow in popularity, they have become the latest ‘lure’ for phishing attacks as a way to take advantage of users becoming more comfortable using them. 

QR code phishing attacks, also known as “quishing,” leverage physical or digital QR codes to lure users to fake websites designed to steal sensitive information or to infiltrate a device and infect it with malware. 

Like with other kinds of phishing, this kind of attack leverages trust—trust in the QR code itself as well as the brand attached to it. Further, many attacks rely on creating a sense of urgency around a supposed benefit (e.g. contest) or consequence of not taking action (e.g. locked account). September 2023 saw a 51% increase in quishing attacks, compared to the cumulative figure for January through August 2023. Furthermore, malicious QR codes represented 9.5% of all QR codes scanned in September 2023. 

What does a QR-based phishing attack look like?

QR code phishing leverages a widely-used form of technology that elicits a form of ‘trust’ where attackers either place new, malicious QR codes into physical locations that make them appear trustworthy, or send malicious QR codes as part of an email or text phishing attack. Let’s look at some examples: 

  1. Physical QR Code

A QR code is attached to the door of a bank. When scanned, the QR code asks the user to sign into their bank account to enter a contest to win $100 that would be automatically deposited into their bank account. The website looks branded with the bank details.

However, this QR code is actually fraudulent and all the banking details entered can now be used for fraud.  

  1. Digital QR Code

The user receives an email from their favorite retailer that contains a QR code to sign up for a new loyalty program. When the user scans the code on their computer screen, they are prompted to enter their personal details, including name, address, username and password. 

Similarly, this email contains a fraudulent QR code and is a phishing attack; similar to all other forms of phishing attacks, just leveraging new technology. Those details now can be used to access the retailer website and any information stored there, including credit card details. If that password is re-used across other websites, which 39% of people admit doing, it could be used in other instances of fraud. Further, the personal information may be sold on the black market to be leveraged by others in future phishing attacks.

How can you protect yourself from QR code phishing attacks?

  1. Consider and verify the source is legitimate

While QR codes themselves cannot be hijacked, it is very easy to place a new and fraudulent QR code sticker over a legitimate source. QR codes that are sticker-based, unbranded or placed in unusual locations should be treated with caution. QR codes from an unfamiliar source should not be trusted. QR codes delivered by email should always be treated with extreme caution, with the exception of mobile tickets that are read by third-parties (e.g. concert tickets). 

Whenever in doubt, ignore the “easy” way of responding to the QR code prompt and instead verify the QR code is legitimate by contacting the brand directly from their standard website, by calling customer service, or asking an employee in-person. 

  1. Be mindful of sharing personal information

Effectively safeguarding personal and financial information and placing trust in a website can be challenging to many people. In fact, about 32% of people are not confident they could spot a fraudulent or fake retailer website. 

As phishing attacks become harder to identify and use new lure tactics such as QR codes, be wary of websites that ask for personal information, login information or financial details. 

  1.  Be mindful of payment methods 

While convenient, not all payment methods are protected equally. Avoid suspicious methods of payment, such as PayPal, Venmo or e-Transfer and avoid debit cards, which are not protected. Opt for a credit card with consumer protection for any purchases. Never disclose banking information or wire transfer funds as the result of a QR code interaction. 

  1. Enable strong, phishing-resistant MFA across your accounts 

Wherever possible, enable accounts to use multi-factor authentication (MFA) to make it harder for phishing attacks to succeed. While any form of MFA is better than just using a username and password, not all MFA is created equal. Look for a phishing-resistant MFA option such as device-bound passkeys–including hardware security keys like the YubiKey–to give advanced protection to online accounts. Security keys stop phishing attacks by requiring something you know (a password) and something you have (a security key) to insert into the device and physically touch it to gain access to accounts.

For those sites that don’t yet support phishing-resistant methods, use a reputable password manager, such as 1Password, to generate strong, unique credentials per site and make logins easier between devices. 

——

For more cybersecurity tips and best practices, check out our blog post featuring simple tips from Yubico’s security team on improving your security posture this year here.

Talk to our teamTalk to our team

Share this article:


  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU
  • Securing critical infrastructure from modern cyber threats with phishing-resistant authenticationAcross the globe, 2024 has seen a whirlwind of change. With ongoing wars, recent political change-ups and more, growth in data breaches targeting critical infrastructure continue to be on the rise. Critical infrastructure is integral to our everyday life – from the energy and natural resources powering our hospitals and providing clean drinking water, telco […]Read moreCISAcritical infrastructurezero trust