Quishing, a combination of “QR code” and “phishing,” represents a growing cybersecurity menace that exploits QR codes to entice individuals into disclosing confidential information.

What is Quishing? 

Quishing is the process of directing an end user to a fraudulent website through a QR code. The design of QR codes makes it impossible for the user to know where the code will direct them after scanning. Cybercriminals create a QR code that looks legitimate, such as one that appears to offer a discount or special offer, but in fact, it directs the victim to a fake website controlled by the attacker. 

How does Quishing work? 

Quishing often involves sending an email with a QR code under the guise of a service request, offer, or the threat of being disconnected from a service. For example, an email might say: “Dear Employee, your retirement account statement for the year 2023, covering both quarterly and annual details, is now available for your perusal. Use your smartphone camera to scan the code below for direct access to your earnings statements, account statements, and balance.”  

Once the code is scanned, it might take the user to a legitimate website and redirect to the fraudulent site. Most often, cybercriminals work to steal your personal and financial information. This type of scam could also be in a physical form. Sometimes, it involves a fake parking ticket placed on your car windshield containing a QR code to pay the fine or a QR code placed on the back of a parking meter, leading you to assume it’s a payment method. 

How to Protect Yourself from Quishing 

Here are some tips from the FBI to avoid becoming a victim: 

  • Once you scan a QR code, check the URL to ensure it is the intended site and looks authentic. 
  • Practice caution when entering login, personal, or financial information from a site navigated to from a QR code. 
  • If you scan a physical QR code, please make sure the code has not been tampered with, such as with a sticker placed on top of the original code. 
  • Avoid making payments through a site navigated from a QR code. Instead, manually enter a known and trusted URL to complete the payment. 
  • Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app. 
  • Do not download an app from a QR code; use your phone’s app store for safer downloads.

While QR codes have made life more convenient in many ways, they have opened new avenues for cybercriminals. As a general rule, do not scan QR codes embedded in emails or displayed in random locations. To learn more, visit our Phishing Information page. 


Stay vigilant, stay safe! 

Chapman University Information Systems & Technology (IS&T)