InstantToolsQR codes went from a curiosity to infrastructure almost overnight. Pandemic-era contactless menus made them ubiquitous in restaurants. Parking meters use them. Event tickets are them. Marketing campaigns, product packaging, healthcare forms — you scan QR codes dozens of times a month now without thinking about it.
Attackers noticed. A technique called quishing (QR code phishing) has grown significantly as a result. The FBI issued warnings about it in 2022 and 2023. Reported incidents have continued to climb since.
What quishing is
A QR code is just a visual encoding of a string of text — almost always a URL. When you scan it, your phone opens that URL. You generally don’t see the URL before your browser opens it. That’s the attack surface.
In a quishing attack, an attacker replaces or overlays a legitimate QR code with one pointing to a malicious URL. The malicious site typically looks identical to the legitimate destination — a bank login page, a parking payment portal, a package delivery confirmation screen — and asks for credentials or payment information.
Where it happens in the real world
Quishing attacks show up in several patterns:
- Physical sticker attacks. Attackers print QR code stickers and place them over legitimate codes on parking meters, restaurant tables, public notice boards, or anywhere QR codes are expected. The sticker looks identical to a real QR code from a distance.
- Email phishing with QR codes. An email arrives claiming to be from your bank, HR department, or a delivery company, with a QR code to “verify your account” or “confirm your delivery.” The code leads to a credential-harvesting site.
- Fake charging stations and payment terminals. Physical payment kiosks in some regions have been compromised with overlay QR codes that redirect payments.
- Shared documents and PDFs. QR codes embedded in PDFs, presentations, or shared documents that route through a URL shortener to obscure the final destination.
How to protect yourself
The good news is that the protective habits are straightforward once you know what to look for:
- Preview the URL before opening it. Most smartphone cameras show you the URL a QR code points to before you tap to open it. Read the domain carefully. A QR code on a parking meter for a city council service should go to a recognisable official domain — not a URL shortener or an unfamiliar string of characters.
- Check for physical tampering. If a QR code at a business is on a sticker rather than printed directly on the material, be cautious. Lift a corner slightly to see if there’s a legitimate code underneath.
- Be suspicious of urgency. QR codes in emails that demand immediate action — “your account will be suspended,” “verify now,” “your parcel is held” — follow the same pattern as conventional phishing. Legitimate services don’t require immediate scanning of a code to avoid account suspension.
- Type the URL manually for sensitive transactions. If a QR code is asking you to log in or pay, close the scanned page and navigate directly to the organisation’s website by typing it yourself. This guarantees you’re on the real site.
- Use a QR scanner that shows the URL first. Some third-party QR scanner apps show you the full destination URL and ask for confirmation before opening it. This adds a layer of review before any redirect happens.
For businesses that use QR codes
If you generate QR codes for customer-facing use, a few practices reduce your exposure to your QR codes being spoofed:
- Use static QR codes when possible. Static codes encode the URL directly — there’s no redirect through a third-party service that could be compromised or expired. The QR codes generated at InstantTools are static.
- Print QR codes directly on materials rather than using stickers where possible. Stickers are easy to overlay.
- Include the destination URL in text next to the code. If customers can verify the URL independently, overlay attacks become immediately obvious.
- Use your own domain. QR codes pointing to your own recognisable domain are harder to convincingly spoof than ones pointing to URL shorteners.