QR-kod Phishing (Quishing) — The Scam Hiding in Plain Sight

You scan a QR-kod at a restaurant to view the menu. You scan one at a parking meter to pay. You scan a code from a delivery notification to track your package. These feel completely harmless. But what if that QR-kod isn't what it seems?

QR nätfiskeattacks have surged by 270% month-over-month in 2025-2026, and 12% of all nätfiskeattacks now contain QR-kods. The FBI has even warned about North Korean hackers deploying malicious QR-kods. It's time to start treating QR-kods with the same caution as suspicious links.

What Is Quishing?

Quishing = QR + Phishing

Traditional phishing sends you a fake link via email or WhatsApp. Quishing uses a fake QR-kod to redirect you to a malicious website instead. The key difference? You can't read a QR-kod with your eyes — making it even more dangerous than a text-based link.

Real-World Quishing Scams

1. Fake Parking Meter QR-kods

Criminal places a sticker over the legitimate QR code
→ You scan it and land on a fake payment page
→ Enter your card details → stolen instantly

Across the US, fake QR stickers have appeared on parking meters, bike-share stations, and EV charging stations. Cities like Austin, San Antonio, and Houston have issued public warnings.

2. Fake Restaurant Menu QR-kods

Scammers place a fraudulent QR sticker over a restaurant's real menu code. Instead of the menu, you're taken to a page requesting personal information or payment details — especially at places that require pre-ordering.

3. QR-kods in Phishing Emails

"Your account requires security verification — scan the QR code below"
→ Fake login page
→ Corporate credentials stolen

AI and LLM tools are now being used to craft highly convincing nätfiskemeddelandes with embedded QR-kods. These bypass traditional email filters because the malicious URL is hidden inside the image.

4. Fake Delivery Notification QR-kods

"Delivery rescheduled — scan this QR code to update your address"
→ Fake carrier website
→ Name, address, and payment info harvested

Text messages and emails pretending to be from FedEx, UPS, or USPS with QR-kods have become one of the fastest-growing scam vectors.

5 Signs of a Fake QR-kod

#	Warning Sign	What to Look For
1	Physical sticker placed over original	Feel the surface — if there's a sticker layered on top, it's likely fake
2	URL doesn't match expected domain	The scanned URL should match the business (e.g., parking-city.gov, not p4rking-pay.net)
3	Asks for personal info or payment immediately	Legitimate QR-kods rarely demand card details direkt
4	No HTTPS	If the URL starts with http:// instead of https://, the connection isn't secure
5	Redirects through shortened URLs	Multiple redirects that obscure the final destination are a red flag

How to Scan QR-kods Safely

Step 1: Use Your Phone's Built-In Camera

Your iPhone or Android camera shows a URL preview before opening länken. Never use third-party QR apps that open links automatically.

Step 2: Check the URL Before Tapping

Read the URL carefully. Does it match the expected business? cityparking.gov is safe. c1ty-parking-pay.com is not.

Step 3: Never Enter Payment Details from a QR-Scanned Link

If a QR-kod leads to a payment page, close it. Go directly to the official app or website to make your payment instead.

Step 4: Use a QR Scanner App with URL Checking

Security-focused QR scanners can flag known malicious URLs before you open them.

Step 5: Physically Inspect the QR-kod

In public places, check whether the QR-kod is a sticker placed over another one. If it's raised, peeling, or misaligned — don't scan it.

Safe QR-kods vs Dangerous QR-kods

Legitimate Uses

• Wi-Fi sharing: Cafes and hotels providing Wi-Fi credentials via QR
• Official menus: Restaurant QR-kods integrated into their ordering system
• Trusted payments: QR-kods generated within official banking or payment apps
• LOCK.PUB link sharing: Lösenordsskyddad QR links with a trusted lock.pub domain

Dangerous Red Flags

• QR-kods in unsolicited emails
• Stickers placed in public spaces by unknown sources
• QR-kods on random flyers, posters, or business cards
• QR-kods received via WhatsApp eller SMS from unknown senders

What to Do If You Scanned a Suspicious QR-kod

Don't panic. Follow these steps immediately:

1. Close webbläsaren — if you didn't enter any information, you're likely safe
2. If you entered credentials, change ditt lösenord immediately
3. If you entered payment info, contact your bank or card issuer to freeze the card
4. Check for unknown apps that may have been installed and delete them
5. Report it to the FTC (reportfraud.ftc.gov) or your local cybercrime authority

How LOCK.PUB Uses QR-kods Safely

LOCK.PUB lets you share links via QR-kods — but with built-in safety features that set it apart:

• Lösenordsskydd: Även efter att ha skannat QR-koden krävs ett lösenord för att komma åt innehållet
• Trusted domän: Löser alltid till "lock.pub" - lätt att verifiera
• Utgångsdatum: Länkar avaktiveras automatiskt efter den inställda tidsperioden
• Åtkomstspårning: Se exakt vem som öppnade din länk och när

Problemet är inte QR-koderna själva – det är overifierade QR-koder från okända källor. Håll dig till QR-koder från pålitliga ursprung, och kontrollera alltid URL innan du trycker.

Slutsats

QR-koder finns överallt eftersom de är bekväma. Men den bekvämligheten är precis vad bedragare utnyttjar. En genomsökning kan lämna över dina kreditkortsuppgifter, dina inloggningsuppgifter eller tillgång till ditt företagsnätverk.

Innan du skannar någon QR-kod, ta 3 sekunder att verifiera den. Dessa 3 sekunder kan spara din identitet, dina pengar och din sinnesfrid.

Börja dela länkar säkert -->