How scammers are using QR codes to steal your data
Not all QR codes are harmless. Here’s what to look out for to avoid falling for a “quishing” scam.
4 min read
QR codes have quickly gone from tech novelty to everyday convenience, popping up on everything from bills to business cards. But as we’ve gotten comfortable scanning away, cybercriminals have found a way to exploit that trust. Enter quishing: a devious form of phishing that uses innocent-looking QR codes to wreak havoc with your personal data.
How “quishing” is gaining momentum
QR codes, short for "quick response" codes, were originally invented by a Japanese car manufacturer in 1994 to streamline production. Fast forward to today, and these little squares are packed with all kinds of data, like URLs, product details, or contact info. Their appeal lies in their simplicity. Instead of typing out a long web address, you scan the code, and your phone instantly takes you to the right site or content. That convenience took off during the pandemic, when businesses needed a contactless way to keep things running smoothly and their customers safe.Now, from product packaging to bathroom walls, QR codes have seamlessly blended into our daily routines. Need a user manual for your new gadget? Just scan the code. Want to pay your tab? There’s a QR code for that. Because they’ve become so common, we’ve developed a blind trust in QR codes. But that trust is exactly what cybercriminals are counting on. Take the famous Coinbase ad from the 2022 Super Bowl: a bouncing QR code that prompted millions of viewers to scan and download their app. It was clever and effective, but also sparked serious concerns among cybersecurity experts. The potential risks became even more evident when scammers started using QR codes in crypto-related frauds, duping victims into handing over their funds.
How a quishing attack works
In a quishing attack, scammers generate a malicious QR code that leads unsuspecting users to a dangerous website. These QR codes can be cleverly embedded in phishing emails, plastered across social media, printed on flyers, or even stuck on physical objects in the real world. The hook? A little social engineering magic. Imagine receiving an email claiming you’ve won a cash prize or need to retrieve an important voice message — just scan the QR code to claim it. But once you scan, you're directed to a malicious site that asks for sensitive information like your name, email, date of birth, or financial details. These fake sites are designed to look legitimate, but their only purpose is to capture your data for identity theft, financial fraud, or worse. The FTC has flagged instances where scammers slap their own QR codes on parking meters, or where text messages pressure their targets into scanning a QR code to fix account problems or respond to "suspicious activity." The common thread? A sense of urgency that gets their victims to act before thinking.
Security at N26
At N26, security is our priority. Discover a 100% mobile banking experience
So, why are criminals turning to quishing? The answer lies in our mobile-first world. Most desktop systems come with layers of phishing protection, making it harder for bad actors to succeed. But smartphones? That’s where scammers see their opportunity. Mobile devices are often less protected, and QR code-based attacks can easily slip through traditional safeguards like secure email gateways. In fact, many security systems see QR codes as just innocent images, completely missing the hidden threat.Since people have grown accustomed to scanning QR codes without much thought, they may not realize that the code they just scanned is sending them to a malicious site or installing malware on their device. The result? Cybercriminals can steal your personal information, bank credentials, or worse — all while hiding behind the seemingly innocent image of a QR code.
Why quishing is so challenging to defend against
Quishing is a real headache because it jumps between devices, making it harder to catch. For example, you get an email on your work computer with a QR code, but you scan it with your phone. If that phone is your personal device, it likely isn’t covered by your company’s security policies, giving attackers an easy in. On the flip side, if a malicious QR code lands in your personal inbox but you scan it with a work device, malware can sneak past your company’s defenses. This device-hopping complexity creates tricky blind spots that make it challenging for organizations to spot and block these sneaky attacks.
How to protect yourself from quishing
The easiest way to protect yourself from quishing is to avoid scanning random QR codes — especially from unknown sources. If something feels off, like a QR code in an unusual place, take a moment to inspect the URL for odd spellings or swapped letters. If you're unsure, skip the scan and verify the info by calling a trusted number or visiting the company’s official website. Most legitimate companies won’t use QR codes to verify accounts. To add extra layers of protection, enable multi-factor authentication (MFA), and be cautious with authentication notifications — only approve them if you initiated the login. Lastly, keep your phone updated and use strong, unique passwords with MFA to stay a step ahead of scammers.
Your money at N26
At N26, your security is our priority. Security features like 3D Secure and biometric authentication are included with your N26 account to keep you and your money safe. Plus, we regularly update our blog with articles about the latest online fraud tactics and how to protect yourself. Learn how to protect your digital identity and create a strong password, how secure mobile banking works, and much more.
The AI-powered future of banking is already here in areas like fraud detection, risk assessment, and customer service, says digital finance expert Xavier Lavayssière. Read on to learn more.
The AI-powered future of banking is already here in areas like fraud detection, risk assessment, and customer service, says digital finance expert Xavier Lavayssière. Read on to learn more.
