QR Code Phishing (Quishing)
Quishing attacks replace legitimate QR codes with malicious ones, or distribute QR codes via email and text. The code leads to a convincing phishing site that harvests credentials or installs malware. Because many security tools scan text URLs but not QR codes, quishing sometimes bypasses email security filters.
Physical Tampering
Sticker-based QR codes in public places are easily replaced with attacker-controlled stickers. Parking payment stations, restaurant table codes, and public information displays have all been targeted. If a sticker QR code seems slightly raised or misaligned, be suspicious.
How to Scan Safely
Use a QR scanner that previews the URL before opening it. Read the preview URL before tapping: does the domain match what you'd expect? Be extra cautious about QR codes in emails, text messages, and unfamiliar locations.
Protecting Your Own QR Codes
If you manage QR codes for a business, use tamper-evident materials or designs that make replacement obvious. Monitor dynamic QR code analytics for sudden changes in scan patterns. Consider periodic verification that physical QR codes haven't been tampered with.
QR codes can deliver malicious URLs exactly as email links can. Preview URLs before opening, verify physical codes haven't been tampered with, and be skeptical of codes in unexpected contexts.