QR Code Phishing (Quishing) — The Scam Hiding in Plain Sight

You scan a QR code at a restaurant to view the menu. You scan one at a parking meter to pay. You scan a code from a delivery notification to track your package. These feel completely harmless. But what if that QR code isn't what it seems?

QR phishing attacks have surged by 270% month-over-month in 2025-2026, and 12% of all phishing attacks now contain QR codes. The FBI has even warned about North Korean hackers deploying malicious QR codes. It's time to start treating QR codes with the same caution as suspicious links.

Ano Is Quishing?

Quishing = QR + Phishing

Traditional phishing sends you a fake link via email or Facebook Messenger. Quishing uses a fake QR code to redirect you to a malicious website instead. The key difference? You can't read a QR code with your eyes — making it even more dangerous than a text-based link.

Real-World Quishing Scams

1. Fake Parking Meter QR Codes

Criminal places a sticker over the legitimate QR code
→ You scan it and land on a fake payment page
→ Enter your card details → stolen instantly

Across the US, fake QR stickers have appeared on parking meters, bike-share stations, and EV charging stations. Cities like Austin, San Antonio, and Houston have issued public warnings.

2. Fake Restaurant Menu QR Codes

Scammers place a fraudulent QR sticker over a restaurant's real menu code. Instead of the menu, you're taken to a page requesting personal information or payment details — especially at places that require pre-ordering.

3. QR Codes in Phishing Emails

"Your account requires security verification — scan the QR code below"
→ Fake login page
→ Corporate credentials stolen

AI and LLM tools are now being used to craft highly convincing phishing emails with embedded QR codes. These bypass traditional email filters because the malicious URL is hidden inside the image.

4. Fake Delivery Notification QR Codes

"Delivery rescheduled — scan this QR code to update your address"
→ Fake carrier website
→ Name, address, and payment info harvested

Text messages and emails pretending to be from FedEx, UPS, or USPS with QR codes have become one of the fastest-growing scam vectors.

5 Signs of a Fake QR Code

#	Warning Sign	What to Look For
1	Physical sticker placed over original	Feel the surface — if there's a sticker layered on top, it's likely fake
2	URL doesn't match expected domain	The scanned URL should match the business (e.g., parking-city.gov, not p4rking-pay.net)
3	Asks for personal info or payment immediately	Legitimate QR codes rarely demand card details right away
4	No HTTPS	If the URL starts with http:// instead of https://, the connection isn't secure
5	Redirects through shortened URLs	Multiple redirects that obscure the final destination are a red flag

Paano to Scan QR Codes nang Ligtas

Hakbang 1

Your iPhone or Android camera shows a URL preview before opening the link. Never use third-party QR apps that open links automatically.

Hakbang 2

Read the URL carefully. Does it match the expected business? cityparking.gov is safe. c1ty-parking-pay.com is not.

Hakbang 3

If a QR code leads to a payment page, close it. Go directly to the official app or website to make your payment instead.

Hakbang 4

Security-focused QR scanners can flag known malicious URLs before you open them.

Hakbang 5

In public places, check whether the QR code is a sticker placed over another one. If it's raised, peeling, or misaligned — don't scan it.

Safe QR Codes vs Dangerous QR Codes

Legitimate Uses

• Wi-Fi sharing: Cafes and hotels providing Wi-Fi credentials via QR
• Official menus: Restaurant QR codes integrated into their ordering system
• Trusted payments: QR codes generated sa loob ng official banking or payment apps
• LOCK.PUB link sharing: Password-protected QR links with a trusted lock.pub domain

Dangerous Red Flags

• QR codes in unsolicited emails
• Stickers placed in public spaces by unknown sources
• QR codes on random flyers, posters, or business cards
• QR codes received via Facebook Messenger or Messenger from unknown senders

Ano to Do If You Scanned a Suspicious QR Code

Don't panic. Follow these steps immediately:

1. Close the browser -- if you didn't enter any information, you're likely safe
2. If you entered credentials, change your password immediately
3. If you entered payment info, contact your bank or card issuer to freeze the card
4. Check for unknown apps that may have been installed and delete them
5. Report it to the FTC (reportfraud.ftc.gov) or your local cybercrime authority

Paano LOCK.PUB Uses QR Codes nang Ligtas

LOCK.PUB lets you share links via QR codes — but with built-in safety features that set it apart:

• Password protection: Even pagkatapos scanning the QR code, a password is required to access the content
• Trusted domain: Always resolves to lock.pub — easy to verify
• Expiration: Links automatically deactivate pagkatapos the set time period
• Access tracking: See exactly who opened your link and when

The problem isn't QR codes themselves — it's unverified QR codes from unknown sources. Stick to QR codes from trusted origins, and always check the URL before tapping.

Konklusyon

QR codes are everywhere because they're convenient. But that convenience is exactly what scammers exploit. One scan can hand over your credit card details, your login credentials, or access to your corporate network.

Before you scan any QR code, take 3 seconds to verify it. Those 3 seconds could save your identity, your money, and your peace of mind.

Start Sharing Links Safely -->