June 30, 2026
Quishing
That QR code on your table might be lying to you
By Nithin
3 min read
Quick question: when's the last time you scanned a QR code without thinking twice?
Maybe it was for a restaurant menu. Maybe a parking meter. Maybe a flyer taped to a pole, or a poster outside the stadium during a World Cup match. QR codes are everywhere now, and we've all gotten comfortable pulling out our phones and scanning first, asking questions never.
That comfort is exactly what scammers are counting on. Welcome to "quishing" — QR code phishing — and it's having a moment.
What is quishing?
Phishing is when someone tricks you into clicking a bad link, usually through email or text. Quishing is the same con, just wearing a different costume. Instead of a sketchy link in your inbox, it's a sketchy QR code stuck on something you trust — a menu, a flyer, a "scan to pay" sign, even a sticker slapped over a legitimate one.
You scan it, your phone opens a link, and that link either steals your login info, installs something nasty, or quietly asks for your card details on a fake payment page that looks completely normal.
The scary part isn't the technology. It's how little suspicion a QR code raises compared to a link. We've trained ourselves to side-eye a weird email. We have not trained ourselves to side-eye a square of pixels on a wall.
Why is it working so well now?
A few things are colliding at once:
QR codes went mainstream during the pandemic and never really left — menus, event check-ins, parking, package pickups, you name it. Meanwhile, big public events are basically a buffet for this stuff. Think stadium concourses, fan zones, ticket resale flyers — all places where someone can tape a fake "scan for tickets" or "scan for free merch" sticker right over a real one, and nobody looks twice in a crowd.
On top of that, QR codes are genuinely hard to eyeball. You can squint at a URL and spot "amaz0n.com," but you can't squint at a QR code and spot anything. It just looks like a QR code. That's the whole problem — there's no visual tell.
What it actually looks like in the wild
A few common versions making the rounds:
A parking meter has a sticker QR code for "easy mobile payment" — except it's been pasted over the real one and sends you to a fake payment site that grabs your card number.
A "free WiFi" QR code at a coffee shop or event actually connects you to a network controlled by the scammer, who can then snoop on whatever you do next.
A flyer for a giveaway, raffle, or "exclusive World Cup fan merch" asks you to scan and enter your details — and now your name, email, and phone number are sitting in a scammer's spreadsheet, headed for the next phishing round.
Even emails are getting in on it. Instead of a clickable link, the email has a QR code image instead, specifically because a lot of email security tools are built to scan text and links, not images. It's a clever way to slide past your spam filter.
How to not fall for it
You don't need to become paranoid about every QR code you see. A few habits go a long way:
Before you scan, take a second to look at the code itself. Is it a sticker slapped on top of something? Does it look slightly off-center or like it's covering up another code underneath? That's a red flag.
After scanning, don't auto-trust the page that loads. Check the URL. Does it match who it's supposed to be from? A QR code for "City Parking" shouldn't land you on some random-looking domain you've never heard of.
Be extra cautious with QR codes that ask you to log in, enter payment info, or download something. Legitimate menus and parking apps rarely need your password the second you scan.
And if a QR code shows up somewhere you weren't expecting one — a random flyer, an unsolicited email, a sticker in a public place — treat it the same way you'd treat a sketchy link. Pause before you tap.
The bigger takeaway
None of this means QR codes are inherently dangerous. They're a tool, same as a link or an email. The real issue is that we've extended automatic trust to something that doesn't deserve it just because it looks techy and convenient.
The fix isn't complicated. It's the same muscle you already use for emails and texts — just applied to a square of pixels instead of a blue underlined link. Slow down, check where it's actually taking you, and treat unexpected scans with the same healthy suspicion you'd give a stranger asking for your card number.
A little hesitation costs you two seconds. A bad scan can cost a lot more.