QRishing: What it is, how to recognize the QR code scam, and how to avoid becoming a victim

  • QRishing is a growing digital scam that uses fake QR codes to steal data, impersonate someone, or install malware on devices.
  • Prevention involves verifying the source of QR codes, analyzing the URL before accessing them, and using secure scanning and antivirus protection applications.
  • QRishing affects both individuals and businesses, so training, awareness, and ongoing vigilance are key to avoiding becoming a victim.
Lorena Figueredo

6 minutes

What is QRishing and how to avoid it

The QR codes They have become a universal tool for accessing digital menus, commercial initiatives, payments, sweepstakes, and all kinds of services. This has brought convenience and speed to daily life, but it has also opened the door to new threats. One of the most growing and dangerous is the QRishing o QR Code PhishingKnowing the risks and learning how to protect yourself from this scam is essential for any digital user, business, or professional.

What is QRishing or Quishing?

QRishing phishing QR

El QRishing, also known as Quishing (a combination of QR and phishing), is a type of identity impersonation QR codes. Cybercriminals generate seemingly legitimate QR codes that, when scanned, direct victims to scam websites, download malware or request sensitive data such as passwords, banking credentials or personal information.

These codes can be distributed almost anywhere: on street signs, restaurant tables, advertising campaigns, invoices, emails, instant messages, and even business cards. They especially exploit the trust often placed in QR codes, as they visually make no distinction between legitimate and malicious ones.

QRishing is especially dangerous because:

  • It is not possible to see the link a QR code leads to before scanning it with the naked eye.
  • Most people trust QR codes because of their everyday use and neutral appearance.
  • URLs can be shortened or disguised, making it difficult to identify fraudulent sites even after scanning the code.
  • QR code phishing is highly effective both in the physical world and in digital campaigns.

How does a QRishing attack work?

How to avoid QRishing QR code scams

  1. Creating the fraudulent QR codeThe attacker generates a QR code programmed to redirect to a fake or malicious URL. This page could be an identical copy of a bank, retailer, or other service.
  2. Physical or digital distribution: The code is printed on stickers, placed over legitimate QR codes (e.g., on parking meters, public bikes, menus, or advertising campaigns), sent via email, social media, or even WhatsApp.
  3. Deception of the victimThe user scans the code, thinking they'll be taken to a legitimate service. There's no visual warning indicating the danger.
  4. Theft or tampering: The victim may be asked to enter personal data, tricked into installing a malicious file, or simply redirected to sites designed to commit financial fraud, phishing, or infect the device.

In some cases, more sophisticated techniques are used, such as adding QR codes to official communications, invoices, or forms that appear to come from real companies. The attack may even be aimed at capturing company data, accessing corporate systems, or stealing employee credentials.

Types of QR codes and their use in attacks

There are mainly two main types of QR codes:

  • Static: These contain fixed information, meaning the content can't be modified after the code is created. For example, a link to a restaurant's website or an email address.
  • dynamic: The content the code points to can be changed without altering the QR code's physical appearance. This is especially useful for marketing campaigns, but it can also be exploited by attackers, who can change the original URL to a fraudulent one after distributing the code.

Dynamic QR codes represent a increased risk If they are not managed correctly, since, after distribution, the destination can be changed by a third party with malicious access, without the user noticing.

Main scenarios and examples of QRishing

QRishing attacks evolve and adapt to new environments. Common scenarios include:

  • Original QR code stickers: Very common in parking lots, transit stations, public bike lanes, and restaurants. The attacker places a sticker with their malicious QR code on top of the official one.
  • Fraud in advertising or promotions: Brochures, posters, or flyers with attractive QR codes promising discounts, raffles, or gifts are distributed to attract attention.
  • Emails and instant messagingFraudulent emails include a QR code to “verify your account,” “download a file,” or “opt in for an urgent offer.”
  • Fake invoicesParticularly in the business environment, invoices or payment notices are sent with fraudulent QR codes to “make a payment” or “claim a bonus.”
  • Reverse phishing or “money request”: Instead of directing the victim to a malicious site, the QR code may be manipulated so that, through a payment app, the user ends up sending money to the scammer, believing they are making a legitimate payment.

real caseIn several cities, there have been reports of people losing significant amounts of money after scanning QR codes on manipulated parking meters. The attackers placed a sticker with their code over the original, and users ended up entering their information on a fake website.

Consequences of being a victim of QRishing

The repercussions of a QRishing attack can be as serious as any other type of phishing, or even more so, as they combine social engineering techniques with the difficulty of visually detecting the fraud.

  • Theft of credentials: Access to bank accounts, social networks, emails, business platforms, etc.
  • Economic loss: Fake payments, unauthorized transfers, purchases on fraudulent sites.
  • Malware Installation: A QR code can trigger the automatic download of a malicious file or app, especially if allowed on the device.
  • Impersonation: Stolen data can be used to commit other crimes, fraud, purchases, or open accounts in the victim's name.
  • damage to reputation: Both at a personal and business level, if the data ends up being used or leaked on the internet or the dark web.

QRishing figures and growth

QRishing is growing exponentially, and international cybersecurity reports warn of thousands of attacks every day. Firms like Barracuda have recorded peaks of up to 1.100 QRishing attacks per day worldwide, with numbers constantly rising. Furthermore, many companies have reported significant financial losses due to scams of this type.

According to cybersecurity specialists, More than 70% of current scams in physical and digital environments use QR codes as the main bait..

Why is it so difficult to detect a malicious QR code?

The difficulty in identifying fake QR codes lies in the fact that:

  • Visually, a legitimate and fraudulent QR code look identical to the average user.
  • The link the QR code points to is not visible to the naked eye, and mobile browsers often don't display enough URL information or the URL is shortened.
  • Attackers often use social engineering campaigns to increase urgency or confidence in actions (payments, promotions, bank emergencies).
  • Mobile device security and cybersecurity training are generally lower than in other business environments.

How to Protect Yourself from QRishing: Effective Strategies and Tips

It is possible to protect yourself from QRishing if you adopt safety habits and best practices are followed both at the personal and business levels. Here are the most comprehensive and up-to-date recommendations:

  • Always verify the source of the QR codeIf the code is in a public place, pasted on another place, on a suspicious flyer, or sent by an unknown contact, be wary before scanning it.
  • Observe possible manipulations: Before scanning, check if the QR code is a sticker placed over the original code or has damage, smudges, or signs of tampering.
  • Activate URL previewMost devices display the web address before opening it. Take a moment to analyze whether the URL looks legitimate, contains spelling mistakes, strange names, or suspicious subdomains.
  • Never enter personal data or credentials after scanning a QR code.If a website asks for sensitive information and you accessed it from a QR code, verify that the domain is official and look for the “https://” padlock. If you have any doubts, don't fill out the form.
  • Avoid automatic downloads of .apk or similar filesFiles downloaded after scanning may contain malware. Install apps only from official stores (Google Play, App Store, etc.).
  • Use safe and reputable scanning applicationsThere are apps that analyze URLs and block access if they detect known risks. Examples include scanners integrated into security suites like Panda Dome or specific validated solutions.
  • Keep your device up to date: Apply all operating system and app updates, as they often include security patches that make it difficult to exploit vulnerabilities.
  • Install and update antivirus protection softwareAn updated antivirus can detect suspicious links, malware downloads, and even scan the destination of a QR code before opening it.
  • Be wary of overly attractive offers: Promotions, sweepstakes, or gifts that are “too good to be true” are often used as hooks to capture data or money.
  • Develop a culture of digital security: Inform and educate those around you about the risks of QRishing, share best practices, and help them identify threats.

How to protect your business from QRishing

  • Review and keep physical QR codes safeIf you use QR codes printed on posters, menus, or promotions, check daily to make sure they haven't been replaced with fraudulent labels.
  • Use certified QR generators and scanners: It is essential to use tools that offer cybersecurity guarantees, data encryption, and protection against unauthorized modification.
  • Encrypt and secure all destination URLs with HTTPS: Always point to secure addresses (HTTPS) and try to personalize the domain to generate trust.
  • Train your employees: Include specific QRishing training in cybersecurity awareness programs. Staff must be able to identify changes or tampering with codes.
  • Implement multi-factor authentication (MFA): Especially recommended if the QR codes point to internal access portals, systems, or financial services. Adding a second layer of authentication makes it more difficult to attack.
  • Avoid unnecessary exposure: Do not use QR codes for critical data or access unless it is essential for the business.

What to do if you have been a victim of QRishing

  • don't panicAct quickly but with your head.
  • Change all your passwords immediately associated with the services where you entered data after scanning the QR code.
  • Contact your bank or financial institution: Report the incident and request that your accounts be blocked or monitored.
  • Remove suspicious applications or files: If you downloaded anything after scanning, delete it and run a malware scan on your device.
  • Report fraud: Inform the relevant authorities, the company where your identity was stolen, and share your experience to warn others.

Frequently asked questions about QRishing and QR codes

  • Is it safe to scan any QR code? No, you should only scan QR codes from trusted sources, always checking that they have not been tampered with or placed in suspicious locations.
  • How can I tell if a QR code is malicious? Analyze the URL displayed after scanning and use a secure reader. If the website seems suspicious or asks for confidential information, close the page and don't continue.
  • What kind of information are attackers looking for? Mainly login credentials, banking details, personal information, and, in the business world, access to internal systems or employee data.
  • Can a virus be installed just by scanning a QR code? The QR code itself only contains information, but it can redirect you to a website or initiate a malware download. Never install unverified .apk files outside of official stores.
  • Does QRishing only affect mobile devices? No, any device with a camera and internet access can be vulnerable, including tablets, laptops, and desktop computers, if a QR scanning system is used.

Useful tools and resources for advanced protection

  • Secure scanning applications: Use reputable apps with real-time link analysis capabilities.
  • Online link analysis services: Before accessing the URL, you can copy it and analyze it with VirusTotal or other similar services.
  • Strong password managers: Use managers that generate and store secure passwords to avoid using duplicate passwords on different platforms.
  • Dark web scanners: Specialized tools allow you to detect if your credentials have been exposed after an attack.
  • Automatic updates and integrated security systems: Configure your devices to receive updates and periodically scan your system for vulnerabilities.

QRishing QR Security

The advancement of QRishing is a reflection of how cybercriminals evolve, adapting to society's digital and physical habits. What began as an innovative solution for payments, identification, and public information is now also a gateway for fraud and financial loss. Therefore, beyond having the best tools, prevention and education play a fundamental role.

There's no need to give up QR technology., but adapt and be cautious. Always check the source of the QR code, keep your devices up to date, be wary of overly attractive offers, and, above all, don't share private data lightly. By being vigilant and acting proactively, we minimize the risk of falling victim to these types of scams.

QRishing is here to stay, but with information, education, and good practices, it's possible to enjoy the benefits of QR codes without exposing ourselves to unnecessary danger.