Scam alert: ‘Quishing’ – the new phishing threat
Stay safe from 'quishing' scams
QR codes are becoming more common in day-to-day life. Whether you are placing your order from your table in a restaurant, paying for parking at the airport, or sending an RSVP to an event, it is likely you will need to scan a QR code with your mobile device at some point soon.
Unfortunately, fraudsters are taking advantage of this technology by creating malicious QR codes, a scam called ‘quishing’.
Just like traditional phishing, which is typically done using links in emails, the goal is to:
- steal personal or financial details
- harvest login credentials
- install malware
- trick someone into making a payment, authorising a transaction or wallet tokenisation.
How does it work?
- The scammer creates a fake QR code – scanning this links you to a fake website which may look identical to the one you were expecting, such as a login page.
- They distribute their fake code – QR codes are placed in emails, texts, social media messages or even glued onto physical posters, e-scooters or flyers.
- The user scans the QR code – the fake site will open and ask them to, for example:
- Make a payment, such as for parking
- Enter personal details to create an account.
- Once personal or payment details have been entered, the fraudster has everything they need to take over accounts, authorise transactions or commit identity theft.
How to stay safe:
- Think before you scan – if you weren’t expecting to receive a QR code, be cautious, especially if it appears in an email or message that feels urgent or pressuring.
- Check the source – did it come from a trusted contact or company? If in doubt, contact the sender directly using a known phone number or website, not through links in the message.
- Preview the link – many phone cameras allow you to preview the website URL before opening it. If the address looks suspicious or if it isn’t directing you to where you’d expect, do not click it.