Proudly supported by

Australian Government logo


Resources Hub / Small business cyber basics / “Quishing”: Scams hidden in QR codes

“Quishing”: Scams hidden in QR codes

Quishing header image


A lot of things happened in 2020 (an understatement, to say the least).

In response to the COVID-19 pandemic, people across the world stayed inside. Zoom became the most popular place to hang out. Using hand sanitiser became second nature.

And, almost overnight, QR codes were everywhere.

Whether we were grocery shopping, visiting the doctor or eventually, heading to a restaurant, we scanned a QR code to “check in” at that location.

While we no longer have to scan a QR code when we visit a public place, this piece of tech has become a normal part of our lives.

Go to a pub or cafe? Scan a QR code to view the menu and order a meal. Want to learn more or follow a business on social media?

Let’s start with the basics. Quishing is the combo of two words: QR and phishing.

QR (quick response) codes are like square barcodes and are used by scanning the code with the camera on your device. Phishing is a type of cyber scam where cyber criminals will create a dodgy link and try to get personal information out of you like passwords and credit card details. You’ve probably received emails or text message like this.

Put together: quishing is another phishing attack except scammers use a QR code to hide a dangerous link.

In action, quishing might look like a QR code that:

  • Takes you to the wrong website and encourages you to enter personal details (it will often try to replicate an actual website)
  • Prompts you to download files or apps that are secretly malicious software

What are the warning signs of quishing?

qr code scanning
One of the key ingredients to the success of a quishing attack is people not thinking before they scan a QR code. As we said earlier, quishing doesn’t mean you should never use a QR code again — it just means being a little bit cautious.

On a physical item, check it’s not covering something up

At the end of 2023, the American Federal Trade Commission (FTC) issued a warning about quishing and the risk it held to individuals and businesses.

The FTC reported instances of fake QR codes being stuck on physical items like parking metres and menus. These stickers might be hiding the real QR code or just trying to get your attention.

It might sound simple but, in these instances, it doesn’t hurt to double-check that the QR code isn’t a sticker or looks as though it’s been tampered with.

If in doubt, you can always talk to a staff member, go directly to the website to learn more or pay in person.

Check the QR code link before scanning

Depending on what device you are using, you can often hover over the QR code and see a preview of the link.

On the latest software of iPhone, it looks like this:

In this example, you can see the start of the link and the website it will take you to.

Take a second to read this carefully and ensure this link matches what you were expecting to click on. Like you would for scam text messages or emails, look out for spelling errors or random numbers.

Be extra cautious about scanning QR codes in emails

QR codes sent in emails should always make you look twice (maybe more).

As people learn more about cyber security and are careful about clicking on dodgy links, cyber criminals are hoping they might catch you out in a different way.

In these quishing attempts, hackers will send a fake email with a bad QR code. Some of the most common emails include:

Just like spam emails you receive, use the same tips to spot the fake ones:

#1: Uncommon or misspelt email address

We’ve said it once and we’ll say it again — spelling and grammar issues are a key giveaway to a potential cyber attack.

#2: Unexpected password or MFA request

Imagine you’re going about your work day and you receive an email asking you to reset the password to your online banking. You weren’t trying to login but maybe they’re just helping you stay safe?

Think again. Hackers might be impersonating a well-known organisation and hoping you give them private information.

#3: Pressure to act urgently

Like in most scams, online criminals will prey on you being nervous and making you act fast. Look out for words like “urgent” or “act now”.

#4: Paying an invoice

If you receive an email about something to be paid, especially if you weren’t expecting it, directly call the business using trusted contact details (don’t just hit reply to the email).

Don’t download software or apps from a QR code

If a QR code ever prompts you to download an app or new software, click away. If you want to look into downloading something further, go directly to your device’s app store or website to verify the authenticity of the app.

How to protect your accounts from quishing attacks

Learning about emerging cyber threats, like quishing, is always an important step to stay safe online.

In addition, you can practice everyday, cyber-safe habits that if you were targeted in an attack, you’d have strong defence mechanisms in place.

#1: Unique, long and private passphrases

If you have different passphrases for every account it means that if one account got compromised, the rest are protected. By re-using the same password or passphrase, cyber criminals can hack into other systems you use.

#2: Update software across your devices

Having the latest software means you get access to updates that protect you against current security threats and provide you with improved tools and services.

#3: Turn on MFA

Having MFA on your accounts is like turning on a virtual alarm. If someone got access to your password, they would need to get past an additional layer of security (your MFA) to get any further.

With Cyber Wardens, you can keep your digital floors clean and free of cyber criminals fishing.

Learn easy and simple cyber security tips for your small business

More helpful resources for you and your business

It happened to me!

Have you got a Cyber attack story to share? Your story can help other small businesses protect themselves.

It happened to me!

Have you got a Cyber attack story to share? Your story can help other small businesses protect themselves.