What is Quishing? The New Scam to Steal Your Data

quishing-scams-cover-image

Widespread adoption of QR codes in recent years means they’re practically everywhere. From the menu at your favorite restaurant to the parking meter downtown to coupons in your local shop, the blocky black and white images enable your mobile device to quickly access or share digital information with minimal typing.

As with other new technologies, scammers quickly added QR codes to their arsenals of criminal tools. Let’s explore the risks so you know how to avoid becoming a victim of the growing threat known as quishing.

What is quishing?

Quishing is a type of social engineering attack that uses malicious QR codes instead of phishing emails to get unsuspecting individuals to reveal valuable personal and payment information.

While consumers have become increasingly aware of phishing scams and are therefore cautious of links in unexpected emails, the abundance and convenience of QR codes in daily life can create an expectation of trust. By placing malicious QR codes in public spaces, scammers are counting on unwary individuals scanning them — often with good reason. Statistica reports approximately 89 million US smartphone users scanned a QR code on their mobile devices in 2022, an increase of 26% over 2020.

After scanning the malicious QR code, the victim is sent to a website where they’re tricked into voluntarily entering their personal information or conducting a fraudulent transaction. The site can also install malware on the victim’s device.

Where do quishing scams occur?

Given the broad use of QR codes, criminals can place their fraudulent codes practically anywhere. By printing their malicious version on stickers, they can cover legitimate QR codes on parking meters or promotional table talkers in restaurants, bars and retailers. There are even instances of scammers sending emails or text messages with embedded QR codes, along with a seemingly legitimate excuse as to why the recipient needs to scan it.

In a warning about quishing, the Federal Trade Commission (FTC) noted scammers may also try to get individuals to scan fraudulent QR codes by claiming the victim needs to:

·       Schedule delivery of a package

  • Confirm account information to resolve a supposed issue
  • Change the login password of an account after suspicious activity was allegedly detected

As with traditional phishing or impersonation scams, perpetrators work to create a sense of urgency, prompting the victim to scan the QR code and volunteer their personal information without questioning if the reason they’re being told to do so is legitimate. 

How to avoid quishing attacks

While individuals can (and should) look for tell-tale signs of phishing attacks — such as misspelled URLs or poor grammar — QR codes don’t offer the same visual clues. That said, there are steps people can take to avoid falling into one of these digital traps.

  • Avoid QR codes found in unexpected places. Randomly placed QR codes can sometimes be used in guerrilla marketing campaigns, but the risk of scanning arbitrary QR codes can be great.
  • Inspect the target URL before opening it. QR code scanners will show you the URL before connecting, so look for spelling mistakes or extra characters in familiar URLs. If the URL looks like a random jumble of letters or is suspicious in any way, don’t open it.
  • Don’t scan QR codes in emails or texts. Emails and SMS texts can include links, so why would a QR code be used instead? Unexpected messages — especially those that demand immediate action — should be ignored. Want to see if it’s legitimate? Contact the company using a phone number or website you’ve independently verified as valid.
  • Safeguard your device and online accounts. Keep device software and security patches up to date. Lock the physical device with a PIN or biometric authentication. Increase the security of online accounts by using strong passwords and enabling multi-factor authentication.

Embrace new technology wisely

The adoption of QR codes can be incredibly beneficial to organizations — while delivering incredible convenience for individuals. But, as with all new technologies, the tenacity of criminals to profit from unsuspecting victims creates risks for everyone. Being aware of threats like quishing — and knowing how to avoid malicious QR codes behind those attacks — can help ensure you use these new technologies safely.

© 2026 TransUnion LLC. All Rights Reserved.