KEY STATISTICS
400%
Increase in quishing attacks 2023 to 2025
89.3%
Of attacks target credential theft
#1
Attack vector in hospitality environments
0ms
Warning before redirect in standard QR scanning
George Smith โ Founder, Klickify Agency
What Is QR Phishing (Quishing)?
Quishing is a cyberattack that uses malicious QR codes to redirect victims to fraudulent websites designed to steal credentials, install malware, or capture payment information. It exploits a fundamental property of QR code scanning: users cannot read the destination URL before scanning. In a traditional phishing email, a trained user can hover over a link to preview the destination. With a QR code, no preview is possible in the default scanning flow.
The Anti-Phishing Working Group documented a 400% increase in quishing incidents between 2023 and 2025, with 89.3% of attacks targeting credential theft โ login pages for banking, email, and corporate systems that are visually indistinguishable from the legitimate services they impersonate.
Four Quishing Attack Vectors
01
Physical overlay attacks
The attacker prints a fraudulent QR code sticker and places it over a legitimate code in a physical environment such as a restaurant menu, hotel check-in code, or parking payment terminal. The legitimate code underneath is obscured. Users scan the overlay and are redirected to a credential harvesting page that mimics the expected destination. Physical overlay attacks can persist for days before staff notice.
02
Malicious QR in email and documents
Email security filters detect malicious URLs in hyperlinks and HTML. Embedding a malicious URL in a QR code image bypasses most text-based link scanners because the URL is encoded in an image rather than present as text. Attackers use QR codes in phishing emails that claim to require scanning to verify identity or access a document.
03
Counterfeit codes on payment terminals
Payment terminals and parking kiosks increasingly support QR code payment. Attackers affix fraudulent QR codes over legitimate payment terminal codes, redirecting payment flows to fake collection pages. The victim believes they are paying for parking or a service while providing payment credentials to an attacker.
04
Compromised dynamic QR destinations
If an attacker gains access to a dynamic QR generator dashboard, they can change the destination URL of an existing QR code to a malicious site without touching the physical code. All printed instances immediately redirect to the attacker's destination. This vector is especially dangerous for organizations using shared credentials on QR generator platforms.
High-Risk Environments
๐ฝ๏ธ
Restaurants and cafes
Table QR codes for menus and ordering are prime overlay targets. High scan volume and unmonitored tables.
๐จ
Hotels
Check-in QR codes, WiFi access codes, and restaurant ordering codes throughout the property.
๐
ฟ๏ธ
Parking facilities
Payment terminal QR codes at meters and kiosks with minimal supervision.
๐ฅ
Healthcare facilities
Patient check-in codes and visitor WiFi access codes in high-trust environments.
๐ช
Events and conferences
Registration QR codes and sponsor materials throughout large venues.
๐
Public transit
Ticketing QR codes and payment terminals with high throughput and low inspection.
The Safe-Scan Architecture: Destination Preview Before Redirect
The fundamental vulnerability in standard QR scanning is the absence of a preview step. Safe-Scan intercepts the redirect at the server level. When a user scans a Truly Free QR dynamic code, the initial request reaches the redirect server which returns a preview page instead of an immediate redirect. The preview displays the full destination URL, the domain in large readable text, and a clear confirmation button to proceed. The user can verify the destination before any redirect occurs.
This informed-consent step eliminates the primary quishing attack vector. A victim who scanned a fraudulent overlay code sees the malicious domain on the preview page before being redirected. For legitimate QR codes the preview adds approximately two seconds โ comparable to a browser download confirmation dialog. The redirect engine behind the preview still resolves in under 5ms; the additional time is the user reading and confirming the destination.
What Businesses Can Do to Protect Users
1
Use tamper-evident QR code displays
Laminated or encased QR codes are more difficult to overlay than paper printouts. Custom-shaped or branded QR displays make unauthorized replacements visually obvious.
2
Inspect codes regularly in high-risk environments
Restaurant and hotel staff should periodically scan their own QR codes to verify they redirect to the expected destination. A 30-second spot check during setup identifies overlay attacks before guests encounter them.
3
Include the destination URL in text near the QR code
Print the expected destination domain next to the QR code. Users who see a different domain after scanning have a reference point for suspicion.
4
Monitor dynamic QR dashboards for anomalies
Dynamic QR dashboards show scan volume by time and location. An unusual spike in scans from an unexpected geographic area may indicate a fraudulent copy of your code has been deployed elsewhere.
5
Use generators with built-in phishing protection
Most QR generators offer no security layer between the scan and the redirect. Safe-Scan preview is active on every dynamic QR on Truly Free QR at no cost. Enterprise-grade security should not require enterprise-grade pricing.
Generate QR codes with phishing protection built in
Safe-Scan destination preview active on every dynamic QR. No premium plan. No account needed.
Create Safe QR Code