Ever heard of “quishing”?

The everyday lives of individuals and businesses have changed fundamentally in recent years. Contactless payments, digital menus, package tracking, and two-factor authentication—QR codes are everywhere today. However, what began as a practical technology is increasingly becoming a gateway for cybercrime. So-called QR code scams – also known as “quishing” (QR + phishing) – are among the growing cyber threats of our time.

Unlike traditional phishing emails, QR code scams often bypass technical protection mechanisms because the malicious link is not directly visible. Users scan the QR code with their smartphone and are unknowingly redirected to fake websites that steal login data, payment information, or confidential company access details, for example. What makes this particularly insidious is that manipulated QR codes are often placed in public spaces – such as on parking meters, charging stations, or posters – or embedded in business emails. QR codes in public spaces are often covered with deceptively genuine stickers and lead to almost identical malicious clones of the websites.

Dangers

QR codes have become an integral part of everyday life – they enable quick access to information, simplify payment processes, and support operational processes. But it is precisely this ease of use that makes them increasingly attractive to cybercriminals. New forms of fraud are emerging in which QR codes are used specifically for deception. This presents both private individuals and companies with growing security challenges that require a higher level of awareness and protective measures.

For private individuals:

  • Phishing attacks: Redirection to fake login pages (e.g., banking, social media, parking services) to request sensitive data.
  • Identity theft: Misuse of stolen personal information by entering personal data on fake websites.
  • Financial fraud: Unnoticed payment approvals or redirection to fake payment pages.
  • Malware installation: Downloading malicious apps or programs onto smartphones.
  • Subscription traps: Automatic registration for paid services.

For businesses:

  • Theft of access data: Compromising email accounts, cloud services, or internal systems.
  • Malware: Introduction of malicious software via manipulated QR codes.
  • Business email compromise (BEC): Deception of employees to approve payments.
  • Data breaches: Loss of sensitive customer or employee data (GDPR risk).
  • Reputational damage: Loss of trust among customers and business partners.
  • Production and operational downtime: Disruptions due to compromised IT systems.
  • Manipulation of payment information: Replacement of bank details on invoices or forms.
  • Bypassing security filters: QR codes contain links that are difficult for traditional spam filters to detect.

Warning! Special problem

  • QR codes do not directly display the target URL – users only recognize the danger when it is too late.
  • Smartphones are often less secure than company PCs.
  • Manipulated codes can be physically pasted over or digitally embedded in emails.

Our tips

For private individuals:

  • Check the source: Only scan QR codes from trustworthy sources. Pay close attention to stickers in public spaces for signs of tampering or manipulation.
  • Check the URL: After scanning, carefully check the web address displayed before entering any data. Look out for spelling mistakes or unusual domains.
  • Do not enter any sensitive data: Never enter login details, bank information, MFA codes, or TANs via unknown links.
  • Use official apps: Instead of QR codes, it is better to use a well-known app or manually enter the website address.
  • Protect smartphones: Update your operating system and apps regularly and use security software.
  • Be suspicious when pressed for time: Fraud attempts often use urgency (“act now”). Stay calm and check.
  • Use secure scanner apps: Specialized scanner apps such as Google Lens or Microsoft Lens can offer additional protection by displaying links more transparently or checking them before opening.

For companies:

  • Employee training: Regular awareness training on phishing and QR code threats.
  • Define security guidelines: Clear guidelines on how to handle QR codes in emails, on invoices, or in advertising materials.
  • Technical protective measures: Use of mobile device management (MDM), web filters, and multi-factor authentication.
  • Expand email security solutions: Use systems that can also analyze embedded QR codes.
  • Four-eyes principle for payments: Especially in the case of changed bank details or payment requests.
  • Establish incident management: Clear processes for reporting suspicious incidents.
  • Secure your own QR codes: Regularly check QR codes on official materials and check them for manipulation.

Conclusion

One scan – and we’re connected, fast, convenient, and usable anywhere. A QR code is ultimately a hidden link. Anyone who scans it should treat it with the same caution as an unknown link in an email. Digital convenience also requires responsibility. Today, conscious use of new technologies is no longer an optional extra, but a fundamental prerequisite for security in everyday life and in the professional environment. Cybersecurity does not begin with complex IT systems, but with everyday decisions. Those who take risks seriously, question processes, and actively practice prevention not only strengthen their own security, but also their confidence in the future.