What Is Quishing? The QR Phishing Scam That Can Drain Your Wallet Fast

Quishing is phishing delivered through a QR code.

You scan, you trust, you tap, and sometimes you land on a fake page designed to steal money, passwords, or personal details.

If phishing emails were the old trap, QR phishing is the modern shortcut trap.

What is quishing?

Quishing is a scam where criminals use malicious QR codes to lead people to unsafe websites.

It is also commonly called QR phishing.

The Australian Cyber Security Centre describes quishing as a threat type where QR codes are used to trick people into visiting malicious links: Quishing (cyber.gov.au).

You can also see a practical consumer breakdown here: What is quishing? (security.org).

Why quishing works so well

A QR code hides the full destination until after the scan.

That gives scammers a perfect moment to exploit speed and trust.

Common pressure points include:

• fast payments in public places
• urgent account updates
• form submissions with personal data
• fake delivery, tax, or utility notices

When people are rushing, they are less likely to verify the domain carefully.

QR phishing examples you should recognize immediately

1. Fake payment QR codes

A sticker is placed over a legitimate QR at a parking meter, cafe table, or event stand.

You think you are paying the right business.

Instead, the money goes to the attacker.

2. Fake login forms

A QR code leads to a page that looks like your bank, cloud app, or work portal.

You enter credentials, and attackers capture them in real time.

3. “Verify now” forms

The page asks for card details, birth date, address, or one-time passcodes.

It looks official, but the form is a data-harvesting trap.

4. Redirect chains that hide the final destination

The first URL looks harmless, but multiple redirects land you on a risky domain.

Why payments and forms are the biggest risk zones

Payments and forms are high-conversion scam surfaces.

Attackers know these actions involve urgency and sensitive input.

If you are scanning a QR to:

• pay a bill
• pay for parking
• submit identity details
• fill account verification forms

then a small verification step can prevent a major loss.

How to avoid quishing in real life

Use this quick checklist before opening any QR destination:

1. Check the domain carefully before continuing. 2. Be extra cautious when the page requests payment or personal details. 3. Watch for spelling tricks, extra characters, or odd domain endings. 4. Avoid entering card numbers or credentials on pages reached from unexpected QRs. 5. If possible, navigate manually to the official site/app for payment. 6. Treat urgency language like “pay now” or “verify in 5 minutes” as a red flag.

Quishing vs regular phishing

Regular phishing often arrives via email, SMS, or fake ads.

Quishing uses camera behavior and visual trust.

That is why people who are great at spotting suspicious emails can still get caught by QR phishing.

The cost of one rushed scan

One rushed scan can lead to:

• unauthorized charges
• account takeover
• identity misuse
• long recovery time with banks and providers

A two-second domain check is much cheaper than weeks of recovery.

FAQ

Is quishing the same as QR phishing?

Yes. Quishing is QR-code-based phishing.

Can a QR code itself infect my phone?

In most cases, the code acts as a link carrier. The main danger is what opens next and what data you submit there.

Are payment QR codes always risky?

No. Many are legitimate. Risk increases when the source is unknown, physically tampered, or asks for unusual details.

Are forms from QR codes safe to fill out?

Only if you fully trust the destination domain and context. For sensitive forms, it is safer to open the official site manually.

What is the safest habit?

Preview the link, verify the domain, and slow down for payments and personal forms.