QR Code Scams (Quishing): The Threat You Can't See

You scan a QR code at a restaurant to order food. It looks normal — but it's actually a sticker placed over the real QR code, redirecting you to a fake payment page that steals your credit card information.

This is quishing — QR code phishing — and it's growing fast, especially in countries like Japan where QR payments (PayPay, LINE Pay, d-barai, au PAY) are ubiquitous.

What Is Quishing?

Quishing combines "QR" and "phishing." Unlike a regular URL that you can inspect before clicking, a QR code hides its destination from human eyes. This makes it perfect for scammers who want to redirect victims to malicious websites without detection.

Common Quishing Attacks

1. Fake QR Stickers at Restaurants and Food Courts

Scammers place a fake QR sticker over the legitimate one on tables or walls.

• You scan it thinking it's the restaurant's mobile ordering system
• It redirects to a fake site that captures your payment details
• Staff usually don't notice the swap

2. QR Codes in Phishing Emails and SMS

Instead of clickable links (which email filters can detect), phishing emails now include QR codes.

• "Verify your account" email with a QR code
• QR leads to a fake login page
• Email security can't scan the URL inside a QR image

3. Fake Parking Meter QR Codes

Scammers stick fake QR codes on parking meters or payment kiosks.

• You think you're paying for parking
• Your card details go to a scammer's fake payment page

4. Tampered Public QR Codes

QR codes on posters, flyers, bus stops, and advertisements can be overlaid with malicious alternatives.

Why QR-Heavy Countries Are Most Vulnerable

Factor	Risk
High QR payment adoption	PayPay, WeChat Pay, GrabPay, etc.
High trust in QR codes	"QR = safe" assumption
Cash-to-QR transition	Elderly users unfamiliar with QR risks
Multiple payment apps	Easy to create convincing fakes

How to Protect Yourself

Before Scanning

1. Check for physical tampering — look for stickers placed over the original QR
2. Use the payment app's built-in scanner — not your phone's camera app
3. Preview the URL before opening — check the domain is legitimate
4. Be skeptical of QR codes on flyers — anyone can print a QR code

For Merchants

1. Regularly inspect your QR codes — check for overlay stickers
2. Use protective covers — make it harder to swap QR codes
3. Use dynamic QR codes — they change regularly and are harder to forge

Sharing Payment QR Codes Safely

Posting your payment QR code publicly (on social media, printed flyers, etc.) creates risk — anyone can screenshot and misuse it.

Instead, use LOCK.PUB to share payment links or QR code information behind a password. Set an expiration time so the link automatically becomes inaccessible after a period. This prevents unauthorized reuse of your payment details.

If You've Been Scammed

1. Freeze your payment app — contact PayPay, LINE Pay, or your bank
2. Contact your card company — if you entered credit card info
3. Change your passwords — if you entered login credentials on a fake site
4. Report to police — file a report
5. Report to consumer protection — your country's fraud reporting agency

Summary

QR codes are convenient — but they hide their destination from your eyes. That makes them a perfect phishing vector.

Three habits to stay safe:

1. Physically inspect the QR code before scanning
2. Preview the URL before opening it
3. Use the payment app's built-in scanner

In the age of QR payments, a healthy dose of skepticism is your best defense.

---

Share payment links and QR info securely → LOCK.PUB