Phishing Inspector
Back to Blog
Emerging Threats

Quishing: Why Your Camera Could Be Your Biggest Security Weakness

By Phishing Inspector Security LabMay 10, 20249 min read

You see them everywhere: on restaurant tables, parking meters, and even in your email inbox. But that convenient little square of black and white pixels could be a one-way ticket to a compromised bank account.

What is Quishing?

**Quishing** is a portmanteau of "QR Code" and "Phishing." It's a social engineering attack where a scammer replaces a legitimate QR code with a malicious one, or sends a malicious QR code via email or physical mail.

The goal is simple: to get you to scan the code with your smartphone, which then directs you to a phishing website designed to steal your credentials or install malware.

Why Quishing is So Effective

Quishing bypasses almost all traditional email security filters. Why? Because most security software is designed to scan **text** and **links**. A QR code is an image.

The "Blind Spot" Advantage:

  • Invisible to Filters: Email gateways often don't "look" inside images to decode URLs.
  • Mobile Vulnerability: When you scan a code, you're usually on a mobile device where URLs are harder to inspect and security tools are often absent.
  • Implicit Trust: We've been conditioned to trust QR codes as "official" shortcuts.

Common Quishing Scenarios

The "Parking Meter" Scam

Scammers stick fake QR code stickers over the real ones on public parking meters. Users scan the code to pay, but their credit card info goes straight to the attacker.

The "MFA Reset" Email

You get an email saying your Multi-Factor Authentication needs to be reset. To do it, you're told to "scan this QR code with your authenticator app." The code actually leads to a credential-harvesting site.

How to Scan Safely

  1. Inspect the physical code: If it's a sticker on top of another sign, don't scan it.
  2. Preview the URL: Most modern phone cameras show a preview of the link before you click. If it's a shortened URL (like bit.ly) or a domain you don't recognize, stop.
  3. Use a Secure Scanner: Avoid third-party QR scanner apps. Use your phone's built-in camera or a scanner from a reputable security company.
  4. Be Wary of Emails: Legitimate companies rarely send QR codes in the body of an email for sensitive actions.

Suspect a Malicious Link?

If you've scanned a code and the resulting URL looks suspicious, don't enter any data. Copy the URL and paste it into our scanner. We'll check it against live threat databases to see if it's a known phishing destination.

Scan a Suspicious URL