What Is Quishing?

Quick Answer

Quishing is a scam that crooks use to alter QR codes and then steal sensitive information, download malware onto a smartphone or intercept money meant for someone else.

Woman holding smartphone, scanning QR code for contactless payment

As people embrace evolving technology, criminals inevitably find a way to take advantage of it. That's now the case with QR codes, the square barcodes that gained a renewed prominence during the pandemic as a way to quickly store and share information.

Scammers are now turning to a tactic known as quishing, or QR phishing, to trick QR code users into giving up sensitive information, downloading malicious software or even as a means for stealing cash.

Here's what you need to know about quishing—and how to prevent it.

What Is Quishing?

Smartphone users might rely on a QR code to access a website, view a restaurant menu, download an app or transfer money. In a typical quishing scam, a cybercriminal redirects or replaces a legitimate QR code with that goes to a phony website they control.

Once a user is in their clutches, they can grab someone's important data, download malware onto someone's device or reroute a payment intended for a legitimate recipient. Quishing is especially effective because it's impossible for a person to read a QR code without electronic assistance.

Examples of Quishing

Here are three potential quishing scenarios:

  1. A criminal hides a phony URL in a QR code that sends an unsuspecting victim to a phishing website. On that site, the user might supply personal or financial information without realizing they're being duped. The criminal might use this data to steal the victim's identity.
  2. A criminal infects your smartphone or another electronic device with malware or other dangerous software. This software might swipe your sensitive data, nab various files or jam up your device unless you come up with a "ransom."
  3. A criminal directs an altered QR code to access your payment platforms, send phony emails from your account or follow social media accounts they control.

Where Can You Find Altered QR Codes?

Doctored QR codes might be found in spots such as:

  • Emails
  • Text messages
  • Social media posts
  • Restaurants
  • Bars
  • Stores
  • Parking meters
  • Packages

How to Protect Yourself From Quishing

Here are eight tips for protecting yourself from quishing:

  • Be skeptical. Trust only those QR codes that you get from a person or organization that you recognize.
  • Watch out for modified QR codes. See whether the code appears to have been tampered with. For instance, is a sticker with a possibly phony QR code concealing a legitimate code?
  • Check the URL. If a URL pops up after scanning a QR code, examine the URL to see whether it looks authentic. For instance, if the URL is short or unreadable, the website you're being sent to might be suspicious.
  • Beware of phony websites. If a QR code directs you to a website, look for signs that it's illegitimate. For example, do you spot typos or misspelled words? Is the design sloppy? Is the website secure, meaning it starts with https:// and shows a padlock icon near the URL?
  • Resist downloading an app using a QR code. An app downloaded with a QR code might be malicious. To remain on the safe side, download the app from an app store.
  • Don't download a QR code scanner app. Downloading a scanner app increases the possibility that you'll download malware onto your smartphone or another device. Instead, use the scanner built into your device's camera.
  • Be careful with data. Don't provide credit card numbers or login credentials on a website that you reached using a QR code.
  • Install security software. Be sure your smartphone and other electronic devices are equipped with software that might prevent viruses or malware from causing problems. If you've already got security software, make sure it's updated.

What to Do if You Scan a Fake QR Code

Here are steps to take if you realize you've scanned a fake QR code:

  1. Change passwords. For any online account you believe has been compromised, change the password as soon as possible. A secure password should contain at least eight characters, including uppercase letters, lowercase letters, numbers and symbols.
  2. Contact your credit card issuers and banks. If you suspect you're the victim of fraud related to a QR code, reach out to your banks and credit card issuers. They may need to close your accounts and open new ones.
  3. Consider setting up a fraud alert and credit freeze. You have the right to create a free fraud alert and freeze your credit for free through the three major credit reporting agencies: Experian, TransUnion and Equifax. A fraud alert requests that a company verifies your identity before extending new credit in your name, while a credit freeze limits access to your credit report.
  4. Alert the Federal Trade Commission (FTC). If identity theft arises as a result of quishing, notify the FTC. The agency shares this information with law enforcement agencies to help investigate fraud.
  5. Look into identity theft protection. Identity theft protection from Experian monitors credit applications, looks for and helps remove your information on the dark web, performs monthly privacy scans and more to identify signs of identity theft.

The Bottom Line

Anyone who uses QR codes can become a victim of quishing, which crooks carry out to steal sensitive information from you or cause other damage. But you can prevent harm by taking steps such as closely examining QR codes that you scan to make sure they're authentic and downloading QR codes only from trusted people or organizations.