Learn

Personal Resource Center
Back

Quishing Hides Scams Inside QR Codes. Here's How to Scan Safely.

Next time you see an innocent-looking QR code out in the world, think twice about scanning it. When visiting some friends, a U.K. woman used a public parking lot and walked up to the kiosk to pay for her spot. There, she found a sign giving her the option to pay with her smartphone via QR code. Only after she scanned the code, visited the legitimate-seeming website, and entered her payment information did she suddenly grow suspicious. Fortunately, she was able to alert her bank in time to block the charge because the website the QR code had directed her to was a scam.1

It's not a U.K.-specific phenomenon. Fraudulent QR codes have been found affixed to parking meters in Fort Lauderdale, Florida and several Texas cities.2,3 Scammers also include malicious QR codes in emails and text messages in an attempt to lead people to harmful websites. It's a cybercrime practice called quishing — which may sound familiar to those aware of the fraudulent email scam of phishing or its text and voice cousins, smishing and vishing.

Here's what you should know about quishing before taking out your phone to scan a QR code.


What Is Quishing, and How Does It Work?

A QR code is simply a way to direct a user to a website on their phone without having to type in a website address. Most of us have seen these used in restaurants to take diners to a menu or on a poster to direct readers to an organization's website. It's easy to not pay any attention to exactly what website address the QR code directs you to until you've arrived. 

Quishing relies on this blind trust of QR codes — and many people's tendency not to think about cybercrime out in the real world. While some quishing attempts take users to fraudulent websites asking for money, like the scam QR codes stuck on parking meters, others could install malware on your device designed to steal information from your phone.4

Quishing also occurs via email and text messages. This may seem strange; if someone is already on a device when they receive this digital message, a hyperlink is an easier way to direct them to a website. But because a QR code is an image, it can often avoid security software, especially when it's embedded in a PDF attachment.5

In 2022, 89 million U.S. smartphone users scanned a QR code, which was a 26% increase over 2020.

How Common Is Quishing?

It's hard to say how common quishing is today because the FBI's Internet Crime Complaint Center (IC3) groups all spoofing frauds (wherein a scammer fraudulently pretends a communication is from a trusted source) together with phishing. Phishing/spoofing was the top complaint to the IC3 in 2023, with 298,878 complaints.6 However, this category was fairly low on the IC3's list of total losses reported, at $18.7 million.

One cybersecurity company found that during a period in early October 2023, 22% of attacks detected on their network came from QR codes.7 Data from another cybersecurity company determined that quishing rose from 0.8% of phishing attacks in 2021 to 12.4% in 2023.8

While private company data tends to reflect a subset of the population, the fact that these organizations are seeing a significant uptick in quishing indicates that it's likely becoming increasingly common elsewhere as well.


How To Protect Yourself From Quishing

If we lived in a different world, it would be easy to advise people away from QR codes, but they are everywhere at this point. In 2022, 89 million U.S. smartphone users scanned a QR code, which was a 26% increase over 2020.9 The Federal Trade Commission (FTC) offers these ways to interact with QR codes safely:4

  • Look closely at the URL before you open it. When you have a QR code in your phone's camera frame, you should see the website address pop up. Before clicking on it, inspect it carefully. If it contains misspellings or looks suspicious in any way, don't click through. 
  • Be suspicious of QR codes in text or emails. Even if you think the source is legitimate, still don't use the QR code. Look up the organization's website or phone number and contact them on your own. 
  • Avoid QR codes accompanied by urgent asks. If a QR code tells you to act immediately or else, take this as a serious red flag. This is a common spoofing tactic.
  • Keep your phone secure. Updating your phone's operating system immediately when an update is available helps keep your device as secure as possible. 

The Better Business Bureau adds these helpful tips:10

  • Consider short links a red flag. If you position your phone camera over a QR code and a shortened link appears — which is not only shorter than usual, but doesn't end with .com, .org, or another expected URL ending — don't click on it. There is no way to confirm the real website it will direct you to in advance.
  • Look for tampering on physical QR codes. Like the QR code stickers that have appeared on parking meters, look for indications that a physical QR code might have been added to the sign or kiosk. Better yet, if it's a payment kiosk and another payment method is available, avoid the QR code altogether. 

As with many cybercrimes, awareness that quishing exists goes a long way toward not falling victim to it. Though we may be on high alert for scams when online, QR codes in the real world can catch people by surprise. By looking for warning signs and using QR codes when it's the only way to reach a trustworthy source, you can keep yourself — and your phone — safe from quishing.

If you do think you've fallen victim to quishing, report the incident to the FBI's Internet Crime Complaint Center (IC3) and local law enforcement.11

You can also follow the steps outlined in our guide, "What to Do if You Are a Victim of Fraud," to protect your credit and financial accounts.


Consider Signing Up for Credit Monitoring

Does remembering to regularly scan your credit report sound exhausting? Another option: Choose a service that will do the credit monitoring for you.

For example, as a Synovus Plus, Synovus Inspire, or Synovus Private Wealth customer, you can enroll in complimentary Financial Protection Services services through Carefull. Depending on the level of protection you have, Carefull will monitor your credit reports and notify you any time any changes are made. Carefull will also scan the web to make sure your personal information hasn't been compromised by checking websites, blogs, peer-to-peer networks. Carefull also offers full-service identity restoration if you become a victim of identity theft.

Learn more about how you can achieve peace of mind as a Synovus customer with Carefull.


Important disclosure information

This content is general in nature and does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information. Diversification does not ensure against loss.

  1. David G.W. Birch, "The FTC Is Concerned About QR Codes (And So Should You Be)," Forbes, published February 28, 2024. Accessed November 19, 2024. Back
  2. Lena Salzbank, "Fort Lauderdale officials warn of QR code scam on parking meters and signs," MSN/NBC Miami, published November 14, 2024. Accessed November 19, 2024. Back
  3. Jenni Bergal, "Beware of 'Quishing': Criminals Use QR Codes to Steal Data," Government Technology, published February 18, 2022. Accessed November 19, 2024. Back
  4. Alvaro Puig, "Scammers hide harmful links in QR codes to steal your information," Federal Trade Commission, published December 6, 2023. Accessed November 19, 2024. Back
  5. Solomon Klappholz, "Hackers are stepping up ‘qishing’ attacks by hiding malicious QR codes in PDF email attachments," ITPro, published October 23, 2024. Accessed December 5, 2024. Back
  6. Internet Crime Complaint Center, "Federal Bureau of Investigation Internet Crime Report 2023," accessed November 18, 2024. Back
  7. Eliott Tallqvist, "Don’t scan! Insights from the Hoxhunt cybersecurity human risk benchmark challenge," published October 19, 2023. Accessed November 19, 2024. Back
  8. Egress, "New Egress report reveals Millennials are the key target, as AI, Quishing, and Multi-Channel attacks top phishing trends," published April 18, 2024. Accessed November 19, 2024. Back
  9. Laura Ceci, "Number of smartphone users in the United States who used a QR code scanner on their mobile devices from 2020 to 2025," Statista, published February 28, 2023 Accessed November 19, 2024. Back
  10. Better Business Bureau, "BBB Scam Alert: Fraudulent QR codes continue to be used in a variety of scams," published July 17, 2024. Accessed November 19, 2024. Back
  11. Internet Crime Complaint Center, Complaint Form, FBI. Accessed November 19, 2024. Back