← Back to BlogEmerging Threats

QR Code Scams (Quishing): The New Trick You Need to Know About

QR Code Scams (Quishing): The New Trick You Need to Know About

QR codes are everywhere. On restaurant menus, parking meters, event tickets, government forms, and business cards. We've been trained to trust them — point your phone, scan, done. Which is exactly why scammers started using them.

Welcome to quishing — QR code phishing. Yes, they really did extend the fishing puns this far.

What is quishing?

Quishing is when a scammer embeds a malicious URL in a QR code, directing victims to a fake website designed to steal their login credentials, personal information, or payment details.

The nasty trick? Most email security tools scan links in emails but don't scan QR codes embedded in images. So a phishing email with a QR code instead of a clickable link can bypass security filters entirely.

Where are fake QR codes appearing?

  • In emails: "Scan this QR code to verify your account" or "Scan to view your invoice."
  • On physical posters or stickers: In public places, scammers stick fake QR code stickers over legitimate ones on parking meters, at EV charging stations, or in cafes.
  • On fake invoices: A scammer sends a fake invoice with a QR code to "pay securely." The QR code goes to a payment page that captures card details.
  • In packages: Fake delivery notifications with QR codes to "track your parcel."

How to protect yourself:

  1. Preview the URL before following it. Most phone cameras show a preview of the URL a QR code points to before you open it. Check that URL carefully — does it match who it's supposed to be from?
  1. Be wary of QR codes in emails asking you to take action. Legitimate organisations rarely need you to scan a QR code to log in. That's not how banking apps or work systems typically work.
  1. Check physical QR codes for tampering. At parking meters or public displays, look for stickers that have been placed over the original. If it looks stuck on rather than printed, be suspicious.
  1. Type URLs directly for important actions. If you need to access your banking, ATO account, or work system, just type the URL. Don't scan a QR code you weren't expecting.
  1. Train your team. Especially finance and admin staff who might receive fake QR code invoices.

For Australian businesses

As QR codes have become routine in business processes — digital menus, check-ins, payments — the attack surface has grown enormously. Make sure any QR code-based payment or access system in your business is clearly branded and not easily replicated.

Test your scam-spotting instincts at Phishbate — free →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →