“Quishing” Attacks Double—Here’s How to Stay Safe Before You Tap
How “quishing” works
Hackers print a bogus QR code, paste it over the legitimate one on a table tent or parking kiosk, and wait. Scan it, and you’re whisked to a clone site that skims card details or prompts an app download laced with malware. Because cameras hide the URL until after you’ve tapped, victims often realize too late.
“People trust the black-and-white square more than a shortened link, and crooks know it.” — Kathy Stokes, fraud-prevention director, AARP
A crime wave hiding in plain sight
| Year | UK “quishing” reports | % change YoY |
|---|---|---|
| 2023 | 589 | — |
| 2024 | 1,386 | +135 % |
| 2025 (Q1) | 502 | on pace for another record |
In the U.S., the FBI warns that QR fraud now shows up in cryptocurrency blackmail, parking scams, and fake tech-support calls that direct victims to “scan the code and pay.” Federal Bureau of Investigation
Five-point safety check before you scan
- Look for tampering. A peeling sticker or mismatched branding is a red flag.
- Preview the link. Modern iOS and Android cameras display the URL—read it before tapping.
- Expect HTTPS—and the right domain. Misspellings (restarant-pay.com) are a giveaway.
- Ask staff if unsure. Legit establishments know their own URL; don’t feel awkward.
- Use your own data connection. Skip public Wi-Fi prompts that appear after scanning.
What restaurants and retailers can do
- Print codes inside lamination to prevent sticker swaps.
- Rotate unique URLs per table; expired codes are useless to crooks.
- Post a short fallback URL (e.g., mycafe.com/menu) so patrons can type instead of scan.
The bottom line
QR codes aren’t evil—but they’re no longer innocent shortcuts, either. A two-second glance at the link and a healthy dose of skepticism will save you from the scam that’s growing faster than any other form of phishing in 2025.
