Learn how to protect yourself from quishing — phishing via QR codes. Read about new cyber fraud techniques and ways to avoid risk.
593 
In today’s digital world, QR codes have become an integral part of everyday life, from restaurant menus to parking fees. However, their growing popularity has attracted the attention of cybercriminals, who use this technology for phishing and identity theft. In this article, we analyze in detail real-life cases of QR code fraud, reveal the technical aspects of forgeries, and provide practical advice on how to protect yourself.
By 2025, QR codes have become a real tool for mass fraud. One careless scan and you risk losing money, exposing your smartphone to malware, or handing over personal data to attackers. Let’s find out how QR codes turned from a useful tool into a serious threat, how such attacks are technically organized, and what statistics say about their spread. Finally, we will consider practical tips that will help you recognize fake codes from real ones.
QR codes have long become an everyday part of our lives – like Wi-Fi or takeaway coffee. Are they convenient? No doubt. But are they safe? Here lies the real problem. A convenient tool for quick access to information has become a favorite weapon of scammers. Let’s consider the most common schemes with which attackers use fake QR codes to steal your money or personal data.
So, you’ve arrived in the city center, found a parking space, and are happily scanning the QR code on the parking meter. It’s convenient – no queues, everything is done via your phone. But you know what? This code may not be so legal. Fraudsters have long since adopted phishing through parking meters.
In Europe, this is a real problem. Here’s an example: in the Netherlands, the police are literally screaming (well, almost) about fake QR codes with the Easy Park logo. When scanning such a code, the user is taken to a site that asks for payment details.
A similar situation is observed in Luxembourg, where scammers are sticking stickers with fake QR codes on parking meters. These codes redirect users to fraudulent websites that imitate official services. The municipality recommends using only the official Indigo Neo app to pay for parking to avoid problems.
And in Dublin, a woman lost €1,000 by scanning a fake QR code on a parking meter. Such cases show how easy it is to become a victim of scammers if you do not check the source of the QR code. What is especially dangerous is that these fake codes are often placed in high-traffic areas, where people are in a hurry and pay less attention to details.
QR codes in restaurants are really convenient. No more old and dirty menus: point the camera and you’ll see a modern menu of dishes. However, scammers have already reached this point. Yes, the same ones who stick their fake codes directly on tables or doors of establishments.
Cybercriminals create fake QR codes that redirect users to fake websites or applications that look like official restaurant resources. On such fraudulent platforms, visitors can be asked to enter personal information, bank card details or even install malware on their smartphones.
A study found that more than half of restaurants in the U.S. have switched to QR codes for menus, but many are unaware of the dangers of using them, creating the perfect environment for fraudsters to replace legitimate codes with their own.
Analysts at Abnormal Security Corp. found that senior executives are 42 times more likely to receive phishing attacks via QR codes than average employees.
In addition, scammers have learned to integrate QR codes into colorful backgrounds or embed them in emails and Excel files with macro support. This approach makes it difficult for antivirus programs to detect threats. Attackers are constantly improving their methods, making attacks more sophisticated.
One popular scenario is the use of QR codes that redirect users to sites where they are offered to install supposedly updates for the browser or operating system. In reality, such “updates” contain malware that can steal data or give attackers access to the user’s device.
Barracuda researchers have discovered new methods of phishing (or phishing through QR codes) that can bypass traditional security systems. One such technique is to create QR codes from ASCII/Unicode text characters instead of standard static images. This makes it difficult to detect malicious links using optical character recognition (OCR).
Another worrying trend is the use of Blob URIs (Blob URIs). These URIs allow web developers to work with binary data, such as images or videos, directly in the browser, bypassing sending or receiving from an external server.
This allows fraudsters to create phishing pages that are completely self-contained and leave no trace on third-party servers. This makes them much more difficult to detect using traditional security methods. This makes phishing attacks even more stealthy and dangerous.
A particularly sophisticated scheme called Quishing 2.0 has emerged. It involves two QR codes:
The first (bad) leads to a legitimate SharePoint page associated with the compromised account. This page then redirects the user to a phishing page.
The second (clean) leads to an online QR code scanning service (e.g. me-qr.com) where an advertisement is displayed and then the user is redirected to the same SharePoint page.
This multi-layered scheme bypasses most security systems, as the “clean” QR code leads to a legitimate service, while the phishing page disguises itself as a trusted resource. This makes the attacks even more dangerous and difficult to detect.
The Egress team found that 12% of all phishing attacks from January to August 2024 involved QR codes, a 1,400% increase from 2021. Global spending on QR codes is expected to exceed $5.3 trillion by 2025. This creates a huge field for attackers, who are constantly improving their methods.
There was a significant increase in phishing attacks using QR codes in 2024, increasing by more than 270% per month. These figures suggest that QR codes are becoming a more attractive target for scammers, and users are becoming more likely to fall victim.
When it comes to protecting against QR codes, many users rely on traditional antivirus and security systems. However, these methods often prove powerless against new threats.
Однією з ключових проблем є те, що традиційні антивірусні програми не аналізують URL-адреси, на які ведуть QR-коди, до їх сканування. Зазвичай антивіруси працюють на основі сигнатур або аналізу поведінки, що дозволяє їм виявляти шкідливі файли чи програми безпосередньо на пристрої. Проте, коли справа доходить до QR-кодів, антивірус залишається “сліпим” до того моменту, поки користувач не перейде за посиланням.
За даними фахівців компанії Check Point у 2024 році, близько 70% користувачів навіть не підозрюють про можливі загрози під час сканування QR-кодів. Це пов’язано з тим, що антивірусні програми не можуть попередити про потенційну небезпеку до моменту відкриття посилання. Таким чином, користувач може опинитися на фішинговому сайті або завантажити шкідливий додаток, перш ніж система безпеки встигне відреагувати.
Ця вразливість особливо небезпечна через те, що зловмисники постійно вдосконалюють методи маскування своїх атак. Навіть якщо антивірус зреагує пізніше, шкода вже може бути завдана, і користувачі часто виявляють проблему лише постфактум.
One of the key problems is that traditional antivirus programs do not analyze the URLs that QR codes lead to before scanning them. Typically, antiviruses work based on signatures or behavioral analysis, which allows them to detect malicious files or programs directly on the device. However, when it comes to QR codes, antivirus remains “blind” until the user clicks on the link.
According to Check Point experts, in 2024, about 70% of users are not even aware of possible threats when scanning QR codes. This is due to the fact that antivirus programs cannot warn about potential dangers until the link is opened. Thus, the user may end up on a phishing site or download a malicious application before the security system has time to react.
This vulnerability is especially dangerous because attackers are constantly improving methods to disguise their attacks. Even if the antivirus reacts later, the damage may already be done, and users often discover the problem only after the fact.
Modern cybercriminals have learned to skillfully disguise their malicious sites as legitimate resources, making their detection difficult even for experienced users.
Using HTTPS. Many phishing sites today use HTTPS, which creates a false sense of security for users. The browser displays a green lock next to the URL, making users think that the site is secure. However, according to PhishLabs, in 2024, more than 30% of phishing sites used HTTPS, misleading users.
Hiding the real URL. A common cloaking method is the use of URL shorteners, such as bit.ly or tinyurl.com. This allows you to hide the actual address of the site by displaying a short and supposedly safe link. The user follows such a link and ends up on a malicious resource. According to a study by Barracuda Networks, in 2024, 40% of phishing attacks used shortened URLs.
Impersonating well-known brands. Cybercriminals often create phishing pages that look like the sites of popular brands or services, such as banks or online stores. They copy the design and structure of the original to trick users into entering sensitive data. For example, during an attack on one of the major European banks, over 100 fake sites were created with identical design and functionality, making them difficult to recognize.
Cybercriminals create websites that mimic the pages of well-known brands or services, such as banks or popular online stores. They copy the design and content of legitimate sites to trick users into entering their personal information. For example, during an attack on customers of one of the major banks in Europe, more than 100 fake sites with identical design and functionality were created. This disguise makes phishing sites almost indistinguishable from real ones, especially to inexperienced users.
Another reason for the ineffectiveness of traditional protection methods is the lack of awareness among users about the risks of using QR codes. Most people are unaware of the potential threats when using QR codes and do not understand the importance of checking sources before scanning. A study by the Cybersecurity & Infrastructure Security Agency (CISA) showed that only 25% of respondents are aware of the risks of using QR codes.
In addition, users often scan QR codes without proper verification or thinking about where they might lead. This creates a favorable environment for attackers who can easily manipulate gullible people. For example, many people scan codes on street ads without thinking about who placed them and what consequences this may have.
The only way to completely protect yourself from fraud is to not use QR codes. But we understand that this is almost impossible, because they have become an integral part of modern life. Therefore, it is worth considering additional digital hygiene measures.
If a QR code comes from an unknown sender or is placed in a public place without a clear context, it is better to ignore it. For example, fake codes on parking meters, in the subway or on advertising posters may look completely harmless, but in fact redirect to pages where your data will be at risk. Although the placement of ads and advertisements in public places is usually monitored by certain services, for example, there may be stickers with a unique number on advertising posters, this does not guarantee safety.
It is better not to trust codes that seem suspicious: for example, if they are placed in places with high traffic or pasted over original elements. If something raises doubts, it is better to refrain from scanning.
Modern smartphones have tools for safely scanning QR codes. For example, Google Lens allows you to first view the content of the code before opening the link. It recognizes the code and provides information about it, which helps you avoid going to a potentially dangerous site. If the URL contains suspicious characters or an unfamiliar domain, Google Lens will warn you about it. This is a simple but effective way to protect yourself from fraud.
On Apple devices, the built-in Safe Browsing feature automatically checks URLs for threats. If you use Safari, the system will warn you about dangerous sites before you reach them. This is especially useful if you accidentally scan a fake QR code. It’s an easy way to protect yourself from phishing sites and other threats.
When you point your iPhone camera at a QR code, you will see a link. This is also not a panacea, especially considering that many people do not look at the link at all, but simply click on it. At the very least, shortened links should raise some doubts about the safety of clicking on them.
Many modern applications provide a preview of the link after scanning a QR code. This is a useful feature, as it allows you to evaluate the address before proceeding. Always pay attention to spelling errors or unusual domain names. For example, if you see an address like bank-safety.com instead of the official bank.com, this is a clear sign of fraud.
If you have doubts about the safety of a link, use online scanners such as VirusTotal or URLVoid. These services allow you to analyze the link for malicious content and warn about possible threats. Taking a few minutes to check is much safer than risking losing confidential data or money.
Let’s end the article with a little experiment! Take a look at these two QR codes below. One of them leads to the official Selectel website, and the other is designed to demonstrate potential threats. But don’t rush to scan them!
When we see two QR codes side by side, we can notice some visual differences. But the image only gives an approximate estimate of the link length, which makes such verification unreliable. This is why scammers are so successful at using QR codes – they seem completely safe until it’s too late.
Try to verify these codes yourself using the methods described above. Or you can take a risk and scan the one that seems more reliable.
However, remember: in real life, this approach can lead to serious consequences. Always remain vigilant, because caution is your best defense against cyber threats.
QR codes, once a convenient tool for quick access to information, have now become a powerful weapon in the hands of cybercriminals. Fraudsters use them to steal data, infect devices with malware, and trick users by creating fake websites and replacing legitimate codes with fake ones.
The main problem is that most users are unaware of the potential dangers when scanning QR codes. Modern fraud methods are so sophisticated that even experienced users can fall victim to them. HTTPS, shortened links, and imitation of well-known brands all make phishing attacks even more invisible.
To protect yourself, it is important to practice digital hygiene: check URLs before clicking, use programs with link previews, and be careful with QR codes in public places. Don’t rely on antivirus software alone, as they may not always detect threats during the scanning process.
The main rule is to be critical of any QR code, especially if its origin is questionable. Attentiveness and caution are your best allies in the fight against cybercriminals.
593 
463 
962