QRTrustDon't trust every QR code.
Back to blog
Security

What is Quishing? The Ultimate Guide 2025

8 min read

Quishing is the latest threat in cybercrime. Learn how QR code phishing works, how to recognize it, and protect yourself effectively.

What is Quishing?

Quishing (a portmanteau of 'QR' and 'phishing') is a new form of cyberattack where criminals use malicious QR codes to deceive people. While traditional phishing uses emails or fake websites, quishing attackers use QR codes as an attack vector.

The reason quishing is so dangerous: QR codes are not human-readable. You cannot see where a QR code leads before scanning it. Cybercriminals exploit exactly this property.

Definition: Quishing

Quishing is a phishing method where attackers use manipulated or malicious QR codes to lure victims to fake websites, steal personal data, or distribute malware.

How Does a Quishing Attack Work?

A typical quishing attack happens in several steps:

  1. The attacker creates a malicious QR code leading to a fake website (e.g., a copy of your bank's login page)
  2. The QR code is distributed through various channels: emails, fake parking tickets, flyers, social media, or even pasted over real QR codes
  3. The victim scans the QR code with their smartphone without recognizing it's malicious
  4. The victim lands on the fake website and enters sensitive data (passwords, credit card details, personal information) or unknowingly downloads malware

Real Quishing Examples from Germany

Fake Parking Tickets

Attackers paste QR codes on parking meters leading to fake 'easy park' pages that steal credit card data. The pasted-over codes are often hard to detect.

ADAC Phishing Emails

Emails with ADAC logo and QR codes leading to fake member pages to steal personal data and bank details.

Rheinbahn Deutschland-Ticket Scam

Fake posters in buses and trams with QR codes supposedly leading to free Deutschland-Tickets - in reality to data theft.

Fake Bank Letters

Letters in Commerzbank design with QR codes for alleged photoTAN activation. Goal: steal online banking credentials.

EV Charging Station Scam

Pasted-over QR codes at electric charging stations that lead to phishing websites instead of payment pages.

Fake Parking Fines

Fraudulent parking fines with QR codes leading to fake payment pages.

How to Recognize Quishing?

  • Unexpected QR codes in emails (especially from banks, Microsoft, Google)
  • QR codes on parking tickets or public places that look 'pasted over'
  • Urgent calls to scan ('Your account will be locked', 'Last chance')
  • QR codes from unknown senders on social media
  • URLs after scanning that look suspicious or don't match the expected company

How to Protect Yourself from Quishing?

  • Use QRTrust: Our app scans QR codes and checks them in real-time against our local threat database and AI models before you open the URL.
  • Use Apps that Display Target URLs: Only scan QR codes with apps that display the target address first before opening the page. This way you can detect suspicious links.
  • Pay Close Attention to Punctuation in URLs: Important: 'example.com/123' is legitimate, but 'example.com-123.com' leads to a completely different, potentially fraudulent website!
  • Ignore Pasted-Over QR Codes: QR codes on parking meters, charging stations, or public places that look pasted-over should never be scanned.
  • Check Letters and Emails Critically: For suspicious letters (e.g., from your bank): Contact the institution via a phone number you researched yourself, not via information in the letter.
  • In Case of Fraud: Act Immediately: Contact the police, call your bank, or use the blocking hotline 116 116 if you've become a victim.

Quishing in Enterprises

For businesses, quishing is a particularly large threat. Employees are often the weakest link in the security chain. A single scanned malicious QR code can:

• Compromise company data • Bring ransomware into the network • Steal access credentials for critical systems • Cause compliance violations (GDPR, NIS2)

Conclusion

Quishing is a growing threat that uses QR codes as an attack vector. The invisibility of the destination makes QR codes the perfect tool for cybercriminals.

The best protection is a combination of awareness, healthy skepticism, and technical solutions like QRTrust that check every QR code before opening.

Protect Yourself from Quishing Now

QRTrust checks every QR code in real-time against multiple threat databases and warns you of dangers.

Try QRTrust for Free

Sources

This article is partially based on information from Verbraucherzentrale NRW:

Quishing: Fake QR Codes in Emails, Letters, Public Transport and Road Traffic
Back to blog