Advisory, 3 November 2025
Quishing: Scanning Can Be Dangerous
How Cybercriminals Exploit QR Codes to Steal Data
QR codes are handy, fast and now everywhere—whether in restaurants, on digital ads or on flyers. But what many people don’t realise is that these seemingly harmless squares can hide a new type of scam. This scam, known as ‘quishing’, involves criminals manipulating QR codes to steal personal data or install malware. Alina Gedde, a digital expert at ERGO, explains how quishing works and what you can do to protect yourself.
What is Quishing?
Most people are now familiar with phishing emails or fake messages pretending to be from their bank. However, as Alina Gedde, a digital specialist at ERGO, points out: “For some time now, a new scam called quishing has been making the rounds.” In this case, cybercriminals create fake or tampered QR codes to get hold of sensitive information or spread malware. The term is a blend of “QR” (Quick Response Code) and “phishing”, describing a phishing attack delivered via QR codes. “What makes quishing particularly tricky is that, unlike suspicious links in emails, QR codes can’t be automatically scanned by antivirus software,”
How Quishing Works – and Why It’s So Dangerous
Quishing always starts with a QR code that looks harmless. Fraudsters stick these codes on posters, send them in emails or letters, or place them in public spaces. “When someone scans such a code, they’re not taken to a genuine website, but to a convincing fake. There, they might be asked to enter passwords, payment details or personal data,” explains the digital expert. “Sometimes, a malicious download may even begin as soon as you scan, infecting your phone.” Particularly at risk are login details for online banking or email accounts, credit card numbers, bank information, or personal data such as name, address, date of birth or phone number. Fake QR codes might claim to give access to parcel tracking, voice messages or fast payments—for example, at a parking meter.
How to Spot Quishing
Unexpected QR codes on stickers, scraps of paper or posters—especially if they appear in odd places or have been stuck over another code—should make you suspicious straight away. “Emails or texts with QR codes from unknown senders, or that urge you to act quickly, are also classic warning signs,” explains Alina Gedde. After scanning, look out for missing HTTPS encryption or web addresses with spelling mistakes or strange domains—these can be signs of fraud. If a website immediately asks for passwords, payment details or personal information, be on your guard.
Protecting Your Data
The safest approach is to only scan QR codes from sources you trust, such as official websites or well-known companies. “Many QR code readers show a preview of the destination web address. If it looks odd, be cautious,” advises the digital expert. Before entering any information, check the address bar carefully: only trust the correct domain and make sure it’s secured with HTTPS. Never enter login details or payment information on websites you’re not sure about. “Keeping your phone’s security software up to date and typing in important website addresses by hand makes you much safer,” recommends Alina Gedde.
What to Do if You Suspect Quishing
If you think a QR code might be dodgy, stop immediately and don’t enter any information. “If you’ve already shared sensitive details, change your passwords straight away and tell your bank or the relevant service provider,” says Alina Gedde. It’s also a good idea to report the incident to the police or a consumer protection body to help prevent others from falling victim. Afterwards, check your phone carefully for malware or unfamiliar apps and remove anything suspicious.
Note: Our articles reflect the factual and legal status at the time of publication and are not updated afterwards.
