Quishing is a cyberattack that uses malicious QR codes to trick victims into divulging personal information or downloading malware.

Quishing is a cyber-attack that uses malicious QR codes to trick victims into divulging personal information or downloading malware. It’s phishing, but instead of using links or emails, it uses a QR code that, when scanned, will take you to a fake website or download malware.

Here’s what it looks like:

  1. Scammers create a malicious QR code. These codes can appear like legitimate QR codes, such as those used for discounts, payments, or WiFi.
  1. The code is placed strategically. Scammers may place these codes on public surfaces such as posters, packaging, or walls. They may also send them by email, text message, or social media.
  1. The victim scans the code. If the victim scans a code with the camera on their phone, the device is directed to an imaginary website or tricked into installing malware.
  1. The attack unfolds. After visiting the fake website, a victim may be tricked into entering their login credentials, financial data, or other sensitive information. The code can be used to download malware that could steal data, spy on, or take control of a device.

What Kind of Information Is Taken In A Quishing Attack

Quishing attacks are used to steal information depending on the attackers’ goals. Here are some of the most common types of targeted information:

  • Login credentials: This includes usernames and passwords for online accounts such as bank accounts, emails, social media, and online shopping platforms.
  • Financial Information: This includes credit card numbers and routing numbers.
  • Personal Information: This includes name, address, phone numbers, dates, and birth, as well as driver’s license numbers.
  • Device Information: This includes information such as the type of device (including operating system), IP address, and location data.
  • Other Sensitive Information includes anything from medical records and trade secrets to business and business documents.

Quishing attacks can be used for various purposes, including:

  • Install Malware: Malware is a program that can be used to steal data, spy on your activities, or even control your device.
  • Launch denial of service attacks: This attack can flood a site or server with traffic and make it unavailable to users.
  • Spreading phishing scams: Once the victim has fallen for one quishing attack, it is more likely that they will fall for another phishing attack in the future.
  • Steal Information: Keep in mind that information can be stolen by quishing. An attacker does not always need all your personal information to do damage. For example, your username and your email address can be used to launch an attack. Once stolen, your data can be used in several ways. It could be sold to the black market, used for identity theft, or to launch other attacks.

How Users Can Protect Themselves from Quishing Attacks

QR codes are often viewed as convenient and safe. Here are a few tips to keep you safe:

  • Be cautious of unexpected QR codes. If you see a QR code you weren’t expecting, especially in a public place, don’t scan it.
  • Verify its source. Before scanning a code, you should verify its legitimacy. Ask the source where the code will lead or search online for information.
  • Hover over the QR code, but don’t click. When unsure of a QR Code on a site or app, simply hover your cursor above it without clicking. Many platforms will show the URL that the code leads to so you can verify its legitimacy before scanning.
  • Use QR code scanners with security features. Specific scanners will warn you of malicious codes.
  • Be cautious about the information you provide online. Do not enter personal information on websites you do not trust.
  • Update your software to the latest version. Updating to the latest version helps to protect you against malware attacks.
  • Be wary of unsolicited emails and text messages. Do not click on links or files from unknown senders.

Follow these tips to secure your information and protect yourself from phishing attacks.

How Do You Know If You’ve Become A Victim Of A Quishing Attack

It can be challenging to detect a quishing attack, but there are some warning signs you should look out for.

Unexplained Activity:

  • Strange Login Attempts: If notifications are sent to you about login attempts you did not make, mainly from unusual locations, this could indicate your credentials have been compromised.
  • Be on the lookout for suspicious charges or transactions: Check your bank statements and credit card bills for charges you don’t recognize. Quishing attacks are used to steal financial data.
  • Unfamiliar apps: Have you installed any apps that you can’t recall? Malware downloaded via quishing may disguise itself as a legitimate app.

Phishing Website Clues:

  • Typos and inconsistencies: Be cautious if the website you land on via a QR code contains grammatical mistakes or is inconsistent with the official website that it impersonates.
  • Unrealistic deals or urgent prompts: Often, phishing websites lure victims by offering too-good-to-be-true deals or creating a sense that they must act immediately.
  • Requesting unnecessary information: Legitimate sites typically only request information relevant to the task. Beware of websites that request excessive personal information.


  • Act quickly if you suspect you have been a victim. Change the passwords of any accounts that may have been compromised, and contact your financial institution or bank if you notice suspicious transactions.
  • Report the suspicious QR codes to the platform you found them on (e.g., website owner, social media platform) to prevent others from falling prey.

How Enterprises Can Help Decrease The Number Of Quishing Attacks

Here are some ways to reduce quishing risks:

Raise awareness:

  • Creating educational content: Create blog posts, social media graphics, and videos that explain quishing, its hazards, and how to remain safe.

Empower users:

  • Developing detection tools: Browser extensions and mobile apps scan QR codes for suspicious elements. These detection alerts warn users before they become victims.
  • Simulating Phishing Attacks: These can be used to create a safe training environment where users can practice identifying phishing attempts and avoiding them, building their resilience.

Support research and Development:

  • Analysis of attack patterns: Identifying trends, shared tactics, and emerging threats.
  • Testing Security Solutions: can be used to evaluate and refine new anti-quishing strategies and tools.
  • Staying updated on the changing landscape: Monitoring the latest phishing techniques and trends.

What Quishing Attacks Look Like

Here’s an example of two quishing stories that made headlines in 2023.

Fake parking meters’ QR codes are scamming Texas drivers:

  • The Scam: In Austin, Texas, malicious actors placed fake QR codes on parking meters instead of the real ones. When these fake codes were scanned, they directed drivers to a website that looked like the city’s official payment portal for parking.
  • The Bait: A website that lures drivers by offering parking rates that appear to be discounted.
  • The Trap: Once drivers enter their credit card information for parking, scammers steal it.
  • Impact & Awareness: This incident shows the sophistication of quishing attacks that target users in everyday situations using seemingly legitimate prompts. It is a cautionary story, warning people not to scan QR codes that they don’t expect, especially those on public infrastructure. Austin Parking Authority has issued public warnings reminding residents to use only official parking apps or pay with coins at meters without QR codes.

Another example of quishing attacks involves exploiting public curiosity and desire for exclusive material:

Fake Concert Tickets QR Code Scam:

  • The Setup: Scammers create fake QR codes that look like legitimate concert ticket barcodes and distribute them near venues. They may claim they are “extras” or unclaimed tickets.
  • The Lure: Victims excited about potentially winning free tickets scan the code.
  • The Trap: The code will direct them to a fake ticketing website. This website could: 1) Request login credentials to verify the ticket. Then, steal them for future attacks. 2) Charge the victim “processing fees” and “activation costs,” siphoning off money. 3) Download malware on the victim’s device.
  • Impact & Awareness: This example shows how quishing can exploit specific interests and emotions. It exploits situations where people may be less vigilant due to excitement or urgency. It’s essential to be cautious when encountering QR codes in unexpected contexts, like close to event venues, even if they seem relevant. Concert organizers and ticketing sites can play a part in educating and raising awareness about these scams.

Remember that if something sounds too good to be true, especially regarding QR codes and freebies – it probably is. Verify the validity of any code and use caution before scanning it.

Related Content

Receive Zimperium proprietary research notes and vulnerability bulletins in your inbox

Get started with Zimperium today