Back to Blogs

Quishing: How to Protect Yourself Against This Newest Phishing Trend

01.31.2024 / Lyndsie Williams - Director of Fraud Prevention
Fraud & Security

QR codes have become part of our lives, whether paying to park at a meter, viewing a menu at a restaurant, or scanning a digital ticket to get into a concert. Opening the camera on your phone and scanning a ‘quick response’ code has become second nature.

Since the COVID-19 pandemic, companies and consumers alike have embraced contactless payment methods, increasing QR Code usage. Accordingly, the number of smartphone users scanning QR codes is projected to increase from 89.5 million in 2023 to 99.5 million in 2025, according to Business Insider. Unfortunately, with the rise of this convenient technology, there is an attraction for cybercriminals, using QR codes for malicious intent.  

In this article, we will give you an in-depth overview of quishing, QR code warning signs, the most popular scams these devious hackers want you to fall for, and what you can do to protect yourself.

Understanding Quishing

This seemingly comedic word ‘quishing’ can pose a significant threat to your personal information security. It is a blend of the words “QR Code” and “phishing”. You have most likely heard of the term ‘phishing’ – according to IBM, it is a cybercrime that tricks users into downloading malware or sharing sensitive information, banking information, or your social security number. 

This deceptive practice can come in a variety of forms including clicking on an email, a text message, receiving a phone call, or even redirecting you to a fraudulent website. 

QR code phishing takes this a step further: TechTarget states these bad actors deceive you into first scanning a QR code with your cell phone. The QR code then uses the same tactics as phishing, leading users to a fraudulent website or downloading malware on your phone to get what they desire: your personal and banking information. 

Why QR codes make easy targets

QR codes are created by anyone with a computer and a printer. In a matter of minutes, and very little effort, you can find countless free QR code generator websites on the internet. They’re also ubiquitous in public and do not look to raise any suspicions for the untrained eye. For everyday consumers, these codes are easy to scan without a second thought, making them an easy and useful tool for cybercriminals. 

Easy QR code targets for quishing actors 

The International Association of Financial Crimes Investigators has a useful list of the most popular targets of quishing actors. We have also added a few of our own: 

  • Public bulletin boards (community centers, grocery stores, colleges, gyms, etc.) 
  • Gas pumps or vending machines
  • Menus at restaurants
  • QR codes at outdoor festivals or events 
  • Airports or bus stops 
  • ATMs and drive-thru windows 
  • Any public place that has a suspicious QR code. 

Other deceptive tactics

In 2022, the FBI warned the public after obtaining reports of individuals losing money involved in QR Code scams, particularly in cryptocurrency. 

From a strange package that is delivered to your doorstep with a QR code, to a donation fund for a charitable organization on a public board, or a QR code that promises you something that seems too good to be true: you must be suspicious of creative methods these cunning criminals will use. It can be very difficult to even differentiate between a true QR code and one a bad actor has created. That is why – it is all in the details. Here are a few ways you can protect yourself against malicious QR codes. 

Exercise caution in public spaces

The Federal Trade Commission has warned consumers that there are reports of scammers covering up QR codes on parking meters with their own QR code to obtain your credit card information. They can easily put their own code over the existing one. If in doubt, don’t scan the code. 

Examine the URL closely

Global Security software company McAfee recommends you check the link and destination – scammers will often misspell links or add a small change to the company name. Subtle differences are key: bad actors are good at making websites appear legitimate. Could you recognize the small differences in .communityfirst, Community-First, or community1st?  

The good news is if you don’t visit the website, your information will be protected.

Download malware and antivirus protection on your cell phone 

Installing antivirus software on your phone is a proactive measure against malicious QR codes. There are software options for both Android and iPhone users, to add another layer of protection on your cell phone. 


QR codes undeniably make our lives easier. They are convenient and a great tool for many small businesses, for check-in at group events, for payment, and more. 

However, in this current climate, everyone needs to be aware of quishing, and all methods criminals can obtain your personal information. The key is to take a moment, pause, and critically view the URL of the link that appears. Taking precautions can save you from falling victim to this cyber threat. 

To learn more about different types of fraud and other ways to protect yourself, our fraud prevention and security page, so you can have peace of mind. Explore all our security features, brush up on smart social media tips and red flags, and inform yourself to keep your personal banking information as secure as possible. 

Be aware that Community First will never ask for your online banking credentials or your secure access code. If you are contacted for this information, please hang up immediately. Give us a call at 904.354.8537 and we will help verify your account is safe.

Please remember to never scan a random QR code on our or any ATM or teller drive-thru. 

For additional fraud protection, sign up for our debit card fraud alerts to help protect your accounts here. 

Back to Blogs