QRishing (Quishing): When QR Codes Become a Phishing Trap

QR codes are everywhere: on parcels, parking meters, posters, invoices, access cards. That’s exactly what makes them attractive to attackers. QRishing (also called Quishing) is phishing via QR codes: a scan leads to a fake website, app, or payment page—aimed at stealing credentials, MFA codes, or payment data. The good news: with clear rules, a quick check, and a few technical guardrails, most cases can be reliably stopped.

What is QRishing—in 20 seconds

• A QR code points to a URL (or app/action).
• The code is tampered with (sticker overlay, swap) or placed in new locations (poster, notice, email, parcel).
• After the scan, a deceptively real login, payment, or download page opens.
• Goals: account takeover, malware installation, payment redirection, MFA harvesting.

Why is QRishing on the rise?

• Baseline trust: “Printed = legitimate”—many don’t inspect the target link on their phone.
• Mobile by default: On phones, URL preview, certificate details, and extensions are harder to see.
• PhyGital: Blending the physical world (sticker) with a digital target (phish page) sidesteps email filters.

Typical real-world scenarios

• Parking/Donations/Restaurant: Table or machine QR leads to a fake payment page.
• Parcel notification: Slip or card with a QR “to release delivery” → fake login/payment.
• Visitor/Wi-Fi QR: Lobby poster → “Wi-Fi portal” that asks for M365/Google login.
• Posters/ads: Covered original QRs redirect to compromised domains.
• Internal processes: QR on delivery notes/invoices → bank details “update” on a fraud site.

The 10-second check before every scan

• Verify the source: Is the QR official (company/place/medium)? Sticker on top? Damaged?
• Read the URL: Does your phone show a preview? Does the domain match (no typos/homoglyphs, correct TLD)?
• No login or payment via unknown QR links. Instead, type the domain manually or use a bookmark.
• Never enter MFA in a browser opened by a QR—prefer the app/app deep link from the official store.

How companies stop QRishing—people + process + technology

1) Policies & awareness (short, concrete)

• “Stop – Check – Call back”: Verify source, read the URL, if unsure open it manually or call a known hotline.
• No QR logins for payroll, M365/Google, banking, travel. Always use bookmarks.
• Internal QR hygiene: Add a short plain-text URL and signature/version to your own QR posters (tampering stands out).

2) Technical guardrails

• Mobile protection chain: MDM/MAM + Mobile Threat Defense (browser isolation/phishing protection, time-of-click checks).
• DNS/Web filtering: NRD blocking (newly registered domains), category filters, IDN/homoglyph detection.
• Email security for QR links in mail/newsletters: link rewriting, sandboxing, SPF/DKIM/DMARC.
• Browser policies: Enforce visible address bar, warning banners for external sites, block risky file types (APK/EXE).
• Payment controls: Corporate cards with limits & MCC blocks, approvals with the four-eyes principle.

3) Response & recovery

• Immediate steps after a bad scan: Change password, end active sessions, revoke tokens, check the device with EDR/XDR, block payment.
• Playbooks: Templates for “account takeover,” “payment fraud,” “malware download”—incl. contact list (bank, provider, IT).
• Preserve evidence: Photo of the QR/poster, URL, time, place; ticket into SIEM/IR tool.

FAQ—short & practical

Is scanning QR codes inherently unsafe?
No. It becomes unsafe when the code leads to unknown domains/logins/payments. Official codes with a clear target domain are fine—still: verify.

How can I spot tampered QR posters?
Stickers on existing prints, mixed paper quality, cropped logos, “too good to be true” offers, missing plain-text URL/source.

What if I scanned and entered credentials?
Change the password immediately, end active sessions, re-issue MFA, inform IT/bank, have the device checked, report the incident.

Are QR codes for internal Wi-Fi/apps okay?
Yes, if you issued them, they’re clearly labeled, and they point to your domain/stores. Regularly check posters for tampering.

Conclusion

QRishing exploits habit and speed—not a tech bug. If you slow the scan down with a 10-second check and combine DNS/Web filtering, email security, and mobile policies, you neutralize most attacks before they get costly. In short: verify, don’t rush—and set smart guardrails.