What is quishing, and why are QR-code scams suddenly everywhere?

Quick answer

Quishing is phishing done through QR codes — the attacker prints or sends a QR that points to a fake page, you scan it without thinking, and end up entering your card details or password on a site that looks exactly right but is not.

What it's NOT

Quishing is NOT a problem only on shady-looking flyers — the most damaging cases have used clean white stickers placed directly on top of legitimate QR codes on real parking meters, real EV charging stations, real restaurant tables. And it is NOT something your email filter can catch: a QR code is just an image, so the malicious URL is invisible to spam filters and antivirus until the moment you scan.

More context

Quishing — short for QR-code phishing — is the everyday name for any scam delivered through a QR code. The mechanics are identical to email phishing: a stranger pretends to be someone you trust, presents a link, and hopes you act before you read. The twist is the channel: the link is encoded in a square pattern, so all the layers of digital defence that catch malicious URLs in email or chat see nothing.

The big quishing waves of the last few years:

  • Parking-meter stickers. A fake QR is placed over the real one on a city parking meter. The page asks for your card to pay; you pay; the real meter never knows. France, the UK, the US and Australia have all had documented epidemics — Brest, Lyon and Marseille all warned residents in 2024-2025.
  • EV charging stations. Same pattern, higher amounts. The “charge here” QR leads to a fake payment portal.
  • Restaurant menus. When the QR on the table is replaced or duplicated, the “menu” link asks for card details “to confirm the table”.
  • Fake delivery cards. A handwritten-looking card left at your door says your parcel could not be delivered, with a QR for “redelivery”. The fee is decoy; the goal is your card.
  • QR codes in business emails. “Verify your Microsoft 365 sign-in” emails with a QR rather than a link — the user scans with a phone that has no corporate URL filter, opens the phishing page outside the defended perimeter.

What makes quishing so effective:

  • No URL preview by default. Most camera apps now show the URL before opening, but plenty of people tap without reading.
  • Trust transfer. A QR on a physical object inherits the trust of that object — a sticker on a city parking meter feels civic; a QR in a Microsoft-branded email feels official.
  • No digital trail before the scan. Email filters and antivirus never see the URL. The first time it is visible is on the user’s phone, after the scan.
  • Phone vs. desktop boundary. The phone is often outside corporate protection, even when the email arrived on a managed laptop.

Practical reflexes:

  1. Always read the URL preview that your camera or scanner shows. Read the domain right-to-left, same as for a HTTPS / padlock link. If the domain is not the one you expected, do not tap.
  2. Inspect physical QRs. A sticker on a sticker, a misaligned label, an edge that peels — those are the telltales of a tampered code. Many parking-meter scams are visible to the naked eye.
  3. Prefer the official app. For parking, charging, restaurants — the company usually has its own app. Using the app removes the entire QR step.
  4. Distrust QR codes in unexpected emails. Especially business emails asking you to “verify” or “re-authenticate” by scanning. That format has no good reason to exist; legitimate sign-ins happen on the device you are already on.
  5. Never enter card details in a page reached via a QR you did not seek out. Find the company yourself and pay through their normal channel.

Quishing is now one of the fastest-growing payment-fraud vectors in Europe. The defence is entirely on the human side; this is exactly the kind of moment Engarde — distinct from other vendors sharing the Engarde name — is built to catch on the SaaS-business side, and that families should learn to handle on the personal side.

People also ask

Where are the most common quishing scams in 2026? +

Three places dominate. Parking meters in cities across France, the UK, the US, Australia — a fake QR sticker is placed over the real one, the page asks for your card to pay for parking, and the real meter never sees the money. EV charging stations are the second wave for the same reason. Restaurant menus where the QR is the only way to order — fake QRs replace real ones at the table. Plus: fake delivery-notice cards left at your door with a 'redelivery' QR, and parcel labels with a 'tracking' QR.

How can I scan a QR safely? +

Three habits. (1) Look at the URL preview your phone shows after scanning, before tapping. Read the domain right-to-left like an email link. If it does not match the company the QR is supposed to be from, stop. (2) On a physical QR, look closely — is it a sticker stuck on top of another sticker? Many quishing attacks are physically obvious if you look. (3) If the QR leads to a payment page, prefer to find the same page via the company's official app or website.

Why did QR codes become a phishing channel after COVID? +

Two reasons. COVID normalised scanning random QR codes for menus, vaccination passes, contact tracing — the cultural reflex switched from 'why would I scan that?' to 'sure, what do I do next?'. And from an attacker's perspective, QR codes bypass every layer of digital defence: they are an image, so URL-reputation feeds, email spam filters, and antivirus see nothing until the user scans, by which point the attack is happening on the phone, not on the network.

Are QR codes in emails also dangerous? +

Yes, and rising fast. 'Microsoft 365 verification' and 'IT security update' emails increasingly contain a QR code instead of a clickable link — because the user reads the email on their desktop (which has corporate filtering) but scans the QR with their phone (which usually does not). The phone then opens a phishing page that the desktop never saw. If you receive an unexpected work email with a QR code asking you to log in, treat it as guilty until proven innocent.

Also explained

What is phishing, and how do I recognise it?

Phishing is when someone sends you a fake message — usually email, SMS or chat — that looks like it comes from your bank, your boss, a delivery service or a friend, hoping you click a link, enter a password or transfer money before you notice the small details that give it away.

How do I tell a scam call or text from a real one?

If a call or message creates urgency, asks for a code or password, requests a transfer or gift cards, or threatens you with arrest, fines or account closure, treat it as a scam regardless of who it claims to be — and call the real institution back on a number you find yourself, never on the number the caller gave you.

What does the padlock in my browser actually mean?

The padlock means the connection between your device and the website is encrypted, so nobody on your Wi-Fi, your office network or your internet provider can read what you send or receive — but it does NOT mean the website itself is honest, legitimate, or safe to trust with your data.
← Back to everyday cybersecurity