Quishing (QR Code Phishing) Complete Guide: How to Spot Malicious QR Codes and Stay Safe

A new QR code appeared on the parking meter. The restaurant replaced its printed menu with a "scan to order" sticker. You scanned without thinking — but was that QR code legitimate? In 2025, QR code phishing (quishing) attacks surged 587%, and the FBI issued a January 2026 warning that North Korean state-sponsored hackers are actively using malicious QR codes in large-scale spearphishing campaigns. The second before you scan is your most important line of defense.

1. What Is Quishing?

Quishing is short for "QR Code Phishing." Attackers encode a malicious URL into a QR code, then trick victims into scanning it, redirecting them to a fake website designed to steal credentials, credit card numbers, or install malware.

1.1 Why QR Codes Are Particularly Dangerous

  • The link is invisible: You can't see what URL a QR code contains before scanning
  • Bypasses security filters: Most corporate email gateways can't scan QR codes embedded in images
  • Mobile device weakness: Smartphone screens are small — URL previews are easy to overlook
  • High trust factor: QR codes in physical environments (posters, packaging) rarely arouse suspicion
By the numbers: According to Keepnet Labs, QR code phishing attacks increased 587% in 2025 compared to 2024, now comprising 12% of all phishing attacks — and the trend is still rising.

2. Real-World Attack Cases (2025–2026)

2.1 North Korean Hacker Group Kimsuky's Spearphishing Campaign

In January 2026, the FBI and the American Hospital Association (AHA) issued a joint warning: North Korean state-sponsored hacker group Kimsuky is targeting government agencies, healthcare organizations, and academic researchers with QR code spearphishing attacks. The group embeds QR codes in emails disguised as Microsoft 365 logins or multi-factor authentication requests — scanning them immediately exfiltrates account credentials.

2.2 Fake Parking Meter QR Codes

Multiple U.S. cities (including San Francisco and Austin) documented attackers placing malicious QR code stickers over legitimate parking meters, redirecting drivers to counterfeit payment sites to harvest credit card data. The fake sites are visually identical to official ones.

2.3 Restaurant Menu QR Code Swaps

Attackers replace legitimate menu QR codes on restaurant tables, or distribute fake "free Wi-Fi" QR codes in tourist areas that redirect to phishing login pages or auto-download malicious apps.

2.4 Package Notification SMS

Fake delivery notification texts claiming a package requires address reconfirmation or customs payment include a QR code that leads to a phishing site requesting personal and payment information.

3. How to Spot a Malicious QR Code: 5 Verification Steps

Step 1: Inspect the Physical QR Code

Malicious stickers are typically placed over an original QR code. Look for:

  • Raised or peeling edges
  • Adhesive residue
  • Different paper texture or print quality compared to surroundings

Step 2: Preview the URL Before Tapping

Most smartphones display the URL after scanning before opening it. Don't rush to tap "Open." Check:

  • Does the domain match the service you expect?
  • Is it HTTPS? (Note: phishing sites can also have HTTPS, but no HTTPS is an immediate red flag)
  • Are there suspicious characters or typosquatting? (e.g., micros0ft.com, paypa1.com)

Step 3: Be Wary of Shortened URLs

QR codes frequently encode shortened URLs (bit.ly, t.co), which obscure the final destination. Copy the shortened URL and use the URL Tool to decode and analyze the actual destination before visiting.

Step 4: Verify the Source's Legitimacy

  • QR codes in emails: Verify the sender's email address and confirm through official channels
  • Physical environment: Ask on-site staff to confirm the QR code is official
  • Unexpected QR codes: Ignore QR codes claiming to be "coupons," "prizes," or "free gifts"

Step 5: Monitor the Page After Landing

If a page immediately asks you to enter passwords, credit card numbers, or government ID numbers, or prompts you to download an unknown app, close it immediately and clear your browser cache.

4. Organizational Defense Strategies

If you manage QR codes for a business (employee badges, marketing campaigns, parking facilities):

  • Use dynamic QR codes: Easily track scans and disable codes instantly if compromised
  • Regular physical audits: Inspect physical QR codes in your environment for tampering
  • Brand your QR codes: Embed your logo — makes substitution harder to disguise
  • Employee training: Ensure staff understand quishing risks, especially privileged account holders
  • Zero-trust email policy: Instruct employees never to scan QR codes from emails; use official links instead

5. How to Generate a Safe QR Code

When creating QR codes for events, business cards, or products, always point to a legitimate HTTPS URL and periodically verify the target link is still active. The QR Code Generator processes everything locally in your browser — your target URL is never sent to an external server, protecting your link privacy.

Long URLs are harder to spoof; short URLs are convenient but more dangerous. If you need to shorten a URL, use a trustworthy service and track the links you distribute with the Short URL Tool for future verification.

6. Quishing vs. Traditional Phishing: A Comparison

AspectTraditional Phishing (Email/SMS Links)Quishing (QR Code Phishing)
Malicious link visibility✅ Visible on hover❌ Hidden until scanned
Security filter detection✅ Most email gateways scan links❌ QR codes in images hard to analyze
Primary attack surfaceEmail, SMSEmail, physical environments
Victim awarenessMedium (widely known risk)Low (QR codes seen as harmless)
Attack costLowLow (stickers are very cheap)
2025 growth rate~+15%+587%

7. Summary

The convenience of QR codes is being exploited at scale. Remember three core principles: inspect before you scan (look for sticker tampering), verify before you tap (does the URL match what you expect?), and think before you type (does this page really need my personal information?). Use the QR Code Generator to create trustworthy QR codes for your own activities — giving your audience the confidence to scan safely.