Scam Checker
Back to all scam alerts and blog posts

QR Code Phishing Threat: New Scam Steals Login Credentials

Published

  • QR Code Phishing
  • Quishing
  • Scam Alert
  • Phishing
  • Cybercrime

Disclaimer: This post is for informational purposes only and does not constitute legal or financial advice. If you believe you have been targeted, contact your bank and local authorities immediately.

Over $3 million vanished from bank accounts last month, all thanks to a tiny black-and-white square. Criminals have weaponised QR codes, turning a convenient tech feature into a sophisticated trap. We're talking about 'quishing' – QR code phishing – and it's rapidly becoming one of the most insidious threats out there.

This isn't just about spotting a dodgy link anymore. Scammers are now targeting our trust in QR codes for everything from payments to menus, our mobile-first habits against us. It's a low-tech entry point to high-value data theft.

How Do QR Code Phishing Scams Work?

The criminals aren't just sending you suspicious links anymore. They’re embedding malicious URLs into seemingly innocuous QR codes. These aren’t complex hacks; they’re social engineering at its most insidious, coupled with basic technology.

Scammers distribute these codes through various channels. Imagine an official-looking 'invoice' in your email, prompting you to 'scan to pay' for an overdue bill. Or a flyer taped to a public lamp post promising a 'discount' if you scan. Even physical QR codes in restaurants or parking structures are being tampered with, swapped out for malicious versions.

Once scanned, the code whisks you away. It might redirect through several legitimate-looking domains to obscure the final destination. You land on a clone of a trusted website – your bank, an online retailer, even a government portal. It looks identical on your phone's browser, designed for touch interactions.

This fake site demands your login credentials or payment information. You dutifully enter your username and password, sometimes even your two-factor authentication code. That sensitive data goes straight to the criminals, instantly compromising your account.

Sometimes, the QR code triggers an immediate download. It could be a 'secure' banking app update that’s actually malware. This malware then monitors your device, stealing further sensitive information or even hijacking your device's camera and microphone. It's a direct route for criminals to access your digital life.

Who Is Being Targeted by Quishing?

Anyone can fall victim to QR code phishing, but specific groups face heightened risk. Busy professionals are frequently targeted with fake corporate emails containing QR codes for 'IT support' or 'password resets.' Students receive 'tuition payment' or 'financial aid' notifications demanding a scan, preying on their financial anxieties.

Businesses themselves are not immune. Attackers send convincing phishing emails disguised as internal communications. Employees, accustomed to scanning QR codes for everything from menus to meeting check-ins, might scan without a second thought. This opens doors to corporate network breaches, making 'quishing' a severe enterprise threat.

Even everyday consumers interacting with QR codes for payments, restaurant menus, or parking meters are at risk. Scammers tamper with legitimate QR codes in public spaces, swapping them for malicious ones. You think you're paying for parking, but you're actually handing over your card details to a thief. Do you really know where that QR code will take you?

Red Flags to Watch For

Protecting yourself from QR code phishing means staying vigilant. Look out for these critical red flags:

  • 🚩 Unexpected QR codes in emails, texts, or physical locations. Always question the source.
  • 🚩 QR codes linked to generic URL shorteners (e.g., bit.ly, tinyurl.com) when an official link should be visible. Hover over desktop links or long-press mobile links to preview the URL.
  • 🚩 Websites demanding immediate login after scanning, especially if they don't look perfectly identical to the real site. Check the URL in your browser's address bar carefully – even a single character difference matters.
  • 🚩 Typos, poor grammar, or pixelated, low-quality QR codes on printed materials. These often indicate a rush job by fraudsters.
  • 🚩 Any request for sensitive information (passwords, card numbers, SSN) after scanning a code from an unverified source. Legitimate services rarely ask for full details immediately after a scan.
  • 🚩 A sense of urgency or threat accompanying the QR code instruction. Scammers often use pressure tactics to bypass critical thinking.

What to Do If You've Been Hit

  1. Change Passwords Immediately: If you entered login credentials, change them for that account and any other accounts using the same password. Enable multi-factor authentication everywhere.
  2. Contact Your Bank/Financial Institution: If you entered payment details, call your bank or card provider to report fraudulent activity and cancel your cards.
  3. Scan Your Device for Malware: Run a full scan using reputable antivirus software if you suspect a download occurred. Delete anything suspicious.
  4. Monitor Your Accounts: Keep a close eye on bank statements, credit card activity, and online accounts for any unauthorised transactions or unusual logins.
  5. Report the Incident: Alert the authorities to help them track and stop these criminals.

Where to Report

If you encounter or fall victim to a QR code phishing scam, report it to the relevant authorities:

Stay alert. Verify everything. If something feels off, trust that instinct. And remember, you can always use our free scam checker to scrutinise suspicious messages and links before you click or scan.

External sources and references