Home About VDS Trust Members Blog

Quishing: The Rising Threat of QR Code Phishing

QR codes have become ubiquitous — restaurant menus, parking meters, event tickets, government notices. Their convenience is undeniable. But that same convenience has opened the door to a new breed of cyberattack: quishing.

What Is Quishing?

Quishing (QR + phishing) is a social-engineering attack where a malicious QR code redirects the victim to a fraudulent website designed to steal credentials, personal data, or financial information. Because humans cannot read a QR code with the naked eye, there is no way to inspect the destination URL before scanning.

Attackers exploit this by:

  • Pasting malicious stickers over legitimate QR codes on parking meters, restaurant tables, or public signage.
  • Embedding fraudulent codes in phishing emails or printed flyers.
  • Replacing government or corporate QR codes on official documents and correspondence.

Why Is Quishing So Dangerous?

Invisible Threat

Unlike a suspicious email link that a trained user might recognise, a QR code reveals nothing about its target. Even security-aware individuals can be tricked.

Bypasses Email Filters

Traditional anti-phishing tools scan text and URLs in emails. A QR code embedded as an image bypasses these filters entirely, making it a favourite vector for attackers targeting corporate environments.

Mobile Vulnerability

QR codes are scanned on smartphones, which often have weaker security controls than corporate laptops. Mobile browsers may not display the full URL, and users are less likely to scrutinise links on a small screen.

Growing Attack Surface

Cybersecurity researchers consistently report that quishing is one of the fastest-growing phishing vectors, with a sharp acceleration in incidents recorded throughout 2023 and 2024, with no sign of slowing down.

Real-World Examples

  • Parking meter scams — Fraudulent QR code stickers placed on meters in major European cities redirected drivers to fake payment portals.
  • Energy bill fraud — Counterfeit utility bills with altered QR codes directed victims to phishing sites that harvested bank credentials.
  • Corporate spear-phishing — Attackers sent printed letters with QR codes to employees, posing as HR departments requesting "urgent credential verification."

How Visible Digital Seals Solve the Problem

Standard QR codes are fundamentally insecure because anyone can generate one. There is no built-in authentication mechanism. A Visible Digital Seal (VDS) changes this equation entirely:

  1. No URL, no redirect — A VDS does not encode a web address. It contains structured data (identity, certificate, product info) that is read and displayed locally by the verification app.
  2. Cryptographic signature — The data in a VDS is signed with the issuer's private key. Any tampering — even changing a single character — invalidates the signature.
  3. Issuer verification — The verification app (such as Otentik Codes Reader) checks the signature against a trusted list of public keys, confirming both the data integrity and the identity of the issuing authority.
  4. Offline operation — Verification is performed locally on the device, without any network call at the time of scanning that an attacker could intercept or spoof. Note that trust lists must be downloaded and cached in advance by the verification app, requiring an initial and periodic internet connection.

In short: you cannot quish a VDS. The technology eliminates the attack vector by design.

What Can You Do Today?

  • Be cautious when scanning QR codes in public places — if the code looks like a sticker placed over another, do not scan it.
  • Check the URL displayed by your phone before entering any personal information.
  • Advocate for VDS adoption in your organisation — especially for any document or label that currently relies on standard QR codes.
  • Use Otentik Codes Reader to verify documents secured with Visible Digital Seals.