Quishing: What you need to know to keep yourself safe from QR code scams in 2025

Quishing is the latest tool cybercriminals are deploying to steal data, personal information, money and anything else they can get their hands on. 

Imagine this: 

You sit down at a restaurant for a nice meal. The restaurant changes their offerings so often that they’ve abandoned printed menus, so now you need to scan a QR code to review the menu on their website. You scan the code and wind up on their website—or is it? Turns out someone has affixed a QR sticker perfectly over top of the original, leading you to a spoofed page in the hopes of stealing your information. This is a QR code phishing scam, commonly referred to as a quishing attack, and they are becoming a lot more common. 

TeamPassword makes it easy to keep your accounts safe from cybercriminals. Don’t believe us? Sign up for a 14-day free trial today and try for yourself.

What is quishing? 

Here is a simple definition of quishing:

Quishing definition: Quishing, for QR codes + phishing, is a cybersecurity attack that uses QR codes to trick individuals into landing on spoofed versions of the websites they are expecting.

Simply put, quishing is the latest version of phishing. As a refresher, here’s the progression in cyberattack attack vectors from email through phone calls and text messages and now to:

• Phishing uses emails to guide people towards spoofed homepages to steal data.

• Vishing, for voice + phishing, uses the phone with a similar goal in mind—to get the person to divulge personal or corporate information that can be used in further cyberattacks.

• Smishing takes advantage of the poor spam protection in place for SMS messaging to use text messages as the attack vector.

• Quishing utilizes QR codes as part of a phishing campaign. As such, quishing can be combined with smishing or traditional email phishing campaigns as well as by itself using QR code stickers in the real world. 

Quishing tactics

Phishing, smishing and vishing attacks typically attempt to either entice you to click a link with the promise of a reward or scare you into clicking with the warning of some major financial loss. 

This is somewhat different from quishing attacks, which can be considered more of a trick or disguised link. Instead of convincing you to click on a link with a reward promise or a threat, quishing utilizes QR codes that lead to seemingly legitimate websites. 

This is done in two main ways:

Online quishing attacks

Online quishing attacks largely take place in email and SMS messages, but quishing can also occur anywhere QR codes are commonly displayed, including social media, advertisements, and other websites. 

The typical approach is to fool someone into scanning the QR code by making an email or advertisement look legitimate.Then, the linked website leads to a spoofed version of a legitimate site where a user may accidentally divulge important information. 

QR stickers

Quishing attacks often begin with a technology that has been around for almost 100 years: stickers. These tactics are particularly devious because they catch people when they aren’t paying attention and using a device that makes some of the first-line defenses difficult. 

Imagine you are waiting in line at an airport and need to fill out a form upon arrival that states you’ve had no flu-like symptoms in the last 14 days. These are digital forms that can be accessed by scanning a QR code on a poster in the tunnel as you leave the airplane. 

You are tired, in a rush, a little confused because you are landing in a new country, and possibly distracted by your children who are also tired and excited. This is the perfect opportunity for a criminal to utilize a QR code attack vector. 

The criminals affix their sticker over top of the one on one of the posters, leading some people, unbeknownst to them, to land on a spoofed version of the government page, where they will then input sensitive data such as their name, address, email address, phone number, birth date, and passport number and expiration date.

Quishing examples

Here are some quishing examples:

1. Microsoft authenticator app quishing

2. Railway station QR code scam

3. Restaurant app quishing scam

Microsoft authenticator app quishing

In 2023, Washington University in St. Louis reported that some emails looking like Microsoft Authenticator app emails had been sent to students. If a student scanned the QR code, they would go to what looks like the university’s login page. Then, any information inputted would be obtained by the cybercriminals who could then use it for nefarious purposes. 

This is a common example of an online quishing attempt.

Railway station QR code scam

A woman in the UK lost £13,000 pounds when she scanned a QR code at her local railway station. The quishers covered up the legitimate QR code on a poster with one leading to a spoofed site. The victim then filled out information as normal, leading to cybercriminals stealing her funds. 

This is a common QR sticker scam. 

Restaurant app quishing scam

Some quishing scams are even more convoluted and long term. Instead of simply sending a person to a spoofed page, they might try to get more information over a longer period. In one example, spoofed QR codes led victims to download what appeared to be a restaurant’s app. Instead, it was a facsimile that asked for permission to use the phone’s camera, microphone, and keyboard when in the app and otherwise. 

The hackers then used the phone to spy on the user to gather information about their banking details so they could drain their accounts. 

How do you prevent quishing attacks? 

Foremost, everyone needs to be skeptical all the time. While it can be exhausting living your life with your guard up, the sad reality is that hackers are using more and more sophisticated means to steal your data. If you become complacent, then it is only a matter of time before someone tricks you. 

This is especially true for businesses, which need to create a culture of security to keep employees and the company safe.

Hackers often target you when you least suspect it. If you see a QR code in a restaurant to fill out a survey for a free dessert, to view their menu, or to download their loyalty app, confirm that these are legitimate with an employee and check to make sure that the QR code isn’t a sticker covering the real one. 

When you scan a QR code, check the legitimacy of the web address. Similar to other phishing and vishing attacks, it’s usually pretty easy to find discrepancies from the real site’s URL. Scammers tend to create poor lookalike websites (e.g., chase.com versus chase-banking-online.com) because they are cheaper to purchase than ones that are more similar. If you aren’t sure, use Google to navigate to the legitimate page.

Remember that you can and should safely ignore emails if they are unexpected. A Microsoft Authenticator email should only appear when you’ve requested it immediately beforehand. If you didn’t ask for the email, then it is fake, so don’t click on any of the links or scan any QR codes therein!

Along with general training around being skeptical, businesses can equip their employees with the tools needed to enhance their cybersecurity. A password manager that generates and stores a unique, strong, and random password for each account is the first cybersecurity solution every business or individual should implement. 

Use TeamPassword to prevent quishing attacks

TeamPassword stores all of your usernames and passwords securely. While spoofed websites might fool an individual who is distracted or not trained to look, it won’t prompt your password manager to fill in your protected details. 

Furthermore, by creating and securely storing unique, random, and strong passwords for each account, one mistake will never multiply to hackers having all of your credentials. Even if a quisher gains access to your coffee shop loyalty account, the worst they can do is steal your next free coffee and not your bank balance. 

TeamPassword can protect your important accounts from quishers. Don’t believe us? Sign up for a 14-day free trial today and try for yourself.