If you immediately think of email when you think of phishing, you’re not alone. However, a new form of a text-based scam is making waves – highlighted by a seemingly legitimate text from the USPS which lets receivers know that their “package” arrived at the warehouse. To receive the package, it instructs users to click on a link to enter their information for delivery. 

This is just one of many examples of an attempt at a phishing attack – a kind of scam where attackers attempt to get users to reveal personal information – such as login credentials, credit card numbers or Social Security numbers – or to trick users into taking an action, such as downloading malware or sending money. Due to the relatively low cost and high success rate, phishing attacks are the most common way online accounts are breached today.

While most phishing attacks come by email, including deceptive links or attachments, others are sent by text message – like the one mentioned above – or even a telephone call. Phishing attacks can look like real emails, messages or websites from familiar brands; in fact, 44% of people think an email is ‘safe’ if it comes from a trusted brand. 

Now, another new kind of phishing attack is on the rise and it’s coming from an unexpected source: QR codes. 

What are QR codes and how are they used for phishing?

QR codes are a type of barcode displayed in a square-shaped grid that can be read by a camera, typically on a smartphone. QR codes can store plain text or links to download an app, access product information or a menu, send or receive a payment, join a Wi-Fi network, log into an account (e.g. loyalty program) or support mobile ticketing, just to name a few.

In 2022, 83.4 million US smartphone users scanned a QR code, a figure expected to reach 99.5 million in 2025. Unsurprisingly, as QR codes grow in popularity, they have become the latest ‘lure’ for phishing attacks as a way to take advantage of users becoming more comfortable using them. 

QR code phishing attacks, also known as “quishing,” leverage physical or digital QR codes to lure users to fake websites designed to steal sensitive information or to infiltrate a device and infect it with malware. 

Like with other kinds of phishing, this kind of attack leverages trust—trust in the QR code itself as well as the brand attached to it. Further, many attacks rely on creating a sense of urgency around a supposed benefit (e.g. contest) or consequence of not taking action (e.g. locked account). September 2023 saw a 51% increase in quishing attacks, compared to the cumulative figure for January through August 2023. Furthermore, malicious QR codes represented 9.5% of all QR codes scanned in September 2023. 

What does a QR-based phishing attack look like?

QR code phishing leverages a widely-used form of technology that elicits a form of ‘trust’ where attackers either place new, malicious QR codes into physical locations that make them appear trustworthy, or send malicious QR codes as part of an email or text phishing attack. Let’s look at some examples: 

Physical QR Code

A QR code is attached to the door of a bank. When scanned, the QR code asks the user to sign into their bank account to enter a contest to win $100 that would be automatically deposited into their bank account. The website looks branded with the bank details.

However, this QR code is actually fraudulent and all the banking details entered can now be used for fraud.  

Digital QR Code

The user receives an email from their favorite retailer that contains a QR code to sign up for a new loyalty program. When the user scans the code on their computer screen, they are prompted to enter their personal details, including name, address, username and password. 

Similarly, this email contains a fraudulent QR code and is a phishing attack; similar to all other forms of phishing attacks, just leveraging new technology. Those details now can be used to access the retailer website and any information stored there, including credit card details. If that password is re-used across other websites, which 39% of people admit doing, it could be used in other instances of fraud. Further, the personal information may be sold on the black market to be leveraged by others in future phishing attacks.

How can you protect yourself from QR code phishing attacks?

Consider and verify the source is legitimate

While QR codes themselves cannot be hijacked, it is very easy to place a new and fraudulent QR code sticker over a legitimate source. QR codes that are sticker-based, unbranded or placed in unusual locations should be treated with caution. QR codes from an unfamiliar source should not be trusted. QR codes delivered by email should always be treated with extreme caution, with the exception of mobile tickets that are read by third-parties (e.g. concert tickets). 

Whenever in doubt, ignore the “easy” way of responding to the QR code prompt and instead verify the QR code is legitimate by contacting the brand directly from their standard website, by calling customer service, or asking an employee in-person. 

Be mindful of sharing personal information

Effectively safeguarding personal and financial information and placing trust in a website can be challenging to many people. In fact, about 32% of people are not confident they could spot a fraudulent or fake retailer website. 

As phishing attacks become harder to identify and use new lure tactics such as QR codes, be wary of websites that ask for personal information, login information or financial details. 

 Be mindful of payment methods 

While convenient, not all payment methods are protected equally. Avoid suspicious methods of payment, such as PayPal, Venmo or e-Transfer and avoid debit cards, which are not protected. Opt for a credit card with consumer protection for any purchases. Never disclose banking information or wire transfer funds as the result of a QR code interaction. 

Enable strong, phishing-resistant MFA across your accounts 

Wherever possible, enable accounts to use multi-factor authentication (MFA) to make it harder for phishing attacks to succeed. While any form of MFA is better than just using a username and password, not all MFA is created equal. Look for a phishing-resistant MFA option such as device-bound passkeys–including hardware security keys like the YubiKey–to give advanced protection to online accounts. Security keys stop phishing attacks by requiring something you know (a password) and something you have (a security key) to insert into the device and physically touch it to gain access to accounts.

For those sites that don’t yet support phishing-resistant methods, use a reputable password manager, such as 1Password, to generate strong, unique credentials per site and make logins easier between devices. 


For more cybersecurity tips and best practices, check out our blog post featuring simple tips from Yubico’s security team on improving your security posture this year here.

The post QR code phishing attacks (Quishing): What to know and how to stay secure appeared first on Yubico.


VaultumCity is the best trusted place to select and buy your best Yubikeys, Vaultumcity free ship all yubikeys, Vaultumcity is reseller distributor of yubikeys so you can find cheapest best yubikey in Vaultumcity. If you are looking for best Yubikeys in Singapore at VaultumCity website online store.

The shop that sells yubikeys is https://vaultumcity.com/product-category/yubikey/

Our delivers are from Singapore, distribute globally. Buying Yubikey in Vaultum to have best customer and after sales services. All Yubikeys sold at Vaultumcity are quality guaranteed. Please place a large amount order to have great discount for reseller. Contact Vaultumcity at https://vaultumcity.com/contact/ whenever you have any issue with your yubikeys. Buying yubikeys at Vaultumcity to have best newest yubikeys free shipped to your door, FIDO2 U2F SECURITY KEY C NFC, FIDO2 U2F SECURITY KEY NFC, YubiKey 5 Nano, YUBIKEY 5 NFC, YubiKey 5C, YubiKey 5C nano, YubiKey 5C NFC, YUBIKEY 5Ci, YubiKey Bio – FIDO Edition. Yubikeys are best most secure tools for two-factor authentication. You can also buy yubikeys form Malaysia, Yubikey Malaysia is being sold at Vaultumcity with great price and free ship, you have it fastest, just in few days because we’re here in Singapore.

If you are looking for yubikeys in Indonesia, Vaultumcity is a great place to buy yubikey Indonesia, you can have yubikeys to protect your logins in just few days. Vaultumcity ship your yubikeys to your home in Thailand, to help ensure your data is safe and secured.

What about South Korea, Vaultumcity bring your yubikeys to your home in South Korea free-shipped.

Vaultumcity also delivers yubikeys to Japan, any province or city to your hands. Check out and grab your best suited yubikey today at VaultumCity.