Quishing attacks: scan a QR code and give away your money?
Quishing attacks: scan a QR code and give away your money?
QR Codes: From Digital Convenience to Digital Threat
QR codes were originally created as a solution for optimization - quick access to information, purchases, or restaurant menus without unnecessary typing. However, in 2025, they turned into one of the most widespread Trojan horses in cyberspace .According to recent research, nearly 73% of Americans scan QR codes without verification , and more than 26 million users have already been redirected to malicious sites. A new form of phishing, quishing (QR + phishing) , has become a convenient and unnoticeable loophole for cybercriminals.
Quishing: How Scammers Work
The method is simple and therefore effective: the attackers place fake QR codes in visible places - parking meters, notifications from utility services, banners or even fake deliveries.The user scans the code in a hurry, after which:
ends up on a fake payment page;
enters card details, login or password;
or downloads malware directly to the smartphone.
The Federal Trade Commission (FTC) has already issued an official warning: scanning an unexpected QR code can lead to device theft , leaking of banking data , hacking of messengers and access to the camera and microphone .
Real-life example: New York, parking meters and fake fines
The New York City Department of Transportation reported a series of incidents in which scammers placed QR codes on parking meters. People paid the "fine" without realizing that the money was going to cybercriminals and their data was on the dark web.
Quishing attacks: scan a QR code and give away your money?
Why QR codes are more dangerous than regular links
Unlike email or SMS, a QR code hides the final URL . The user does not see where exactly he is going, and the screen displays a deliberately "harmless" link, forged using Unicode or Latin-like characters.According to the FTC, 26% of all malicious links in 2025 will be transmitted via QR codes —more than via email.
Psychology of trust and smartphones as a risk factor
Research shows that iPhone owners are more trusting. 70% of iOS users have scanned QR codes to make purchases, compared to 63% of Android users . Brand trust plays into the hands of criminals.
Technological answer: “smart” QR code
Against the backdrop of threats, developers are working on SDMQR — Self-Authenticating Dual-Modulated QR . This is a technology that can confirm the authenticity of a code in real time through a digital signature. But there is a nuance: for it to work, support at the level of smartphone cameras is required, that is, Google and Apple must implement it at the system level.
Until this happens, users remain virtually defenseless.
What companies and users do
IT departments of banks, government portals and retail have begun to regularly update QR codes to minimize the risk of their substitution.
Some institutions implement dynamic codes that expire after a few seconds.
QR code scanning apps have started to include antivirus checks, but they are not yet widely used.
How to protect yourself: 5 simple rules
Never scan a code if it comes in an unexpected package or is posted in a public place.Check if the URL is displayed after scanning.
Use third-party apps to check QR codes.
Turn on notifications about suspicious activities on the map and mail.
Be especially careful when paying via QR - double-check the website and address.
QR code is not evil, but it is not protection either
QR codes were created for convenience, not security. And until the industry develops sustainable protection, quishing will develop faster than antivirus solutions .Like any mass technology, QR can be a useful tool — or a weapon of mass phishing. It all depends on who uses it.
By Claire Whitmore
July 29, 2025
Join us. Our Telegram: @forexturnkey
All to the point, no ads. A channel that doesn't tire you out, but pumps you up.
By Claire Whitmore
July 29, 2025
Join us. Our Telegram: @forexturnkey
All to the point, no ads. A channel that doesn't tire you out, but pumps you up.
Report
My comments