The rise in QR codes has made them a part of everyday life, from restaurant menus and parking meters to event tickets and flyers. Their ubiquity stems from the convenience they offer. Yet, with their widespread use comes new risks. Scammers are adapting to current trends, exploiting this feature since most people trust QR codes without question. They rarely consider their destination. Unfortunately, a seemingly harmless payment link can prove to be a Trojan Horse, emptying a bank account in minutes.
Quiet Rise in Victims
Recent estimates show that more than 26 million people have encountered quishing links by Spring 2025. This figure is staggering, accounting for roughly 26% of malicious links tracked by security firms like KeepNet Labs. To make matters worse, traditional antivirus or email filters cannot flag these threats. Instead, these malicious links bypass scanning entirely by being embedded in image form. It’s an objectively clever approach – except that it’s causing innocent people to lose their savings.
Real Cases, Real Loss
In one case reported in the UK, a man scanned a QR code on a parking machine only to discover losses exceeding £13,000, all from unauthorized charges. The situation is verily similar in the U.S., where scams have targeted users scanning codes at gas stations or cafes, only to find malware or scammers draining their funds via cloned login pages. These attacks happen in minutes, leaving little time to react. By stealing credentials, scammers impersonate the victim’s bank, pretending to issue warnings and instructing them to move money to “safe accounts”—ones controlled by the scammers.
The Scam You Probably Didn’t Expect
This is called “quishing” (QR-phishing). The trick involves subtly manipulating victims into revealing personal or financial details. Criminals overlay fake QR codes on legitimate ones, such as those on payment signs or secure posters, directing scanners to counterfeit websites. These sites mimic official brands, apps, or websites almost perfectly, but the outcome is the same. They prompt users to enter sensitive data, including bank or card information. Victims often don’t realize they’ve been compromised until their money vanishes. Recovering it is nearly impossible.
It’s a Proven but Hidden Tool
Experts consider quishing more dangerous than email phishing because QR codes don’t visually display URLs, making them harder to analyze initially. Even cybersecurity professionals struggle to detect the threat before scanning the code. However, recent academic frameworks indicate that machine-learning systems can partially identify malicious patterns in a QR code’s visuals. But such tools aren’t accessible to the average person. As a result, scams are rising quietly and rapidly, seemingly impossible to avoid.
The Moment It All Turns
What happens is that once a victim scans a QR code, they are redirected to a fake site that looks identical to a bank or payment platform login. They enter credentials or card information, which is immediately sent to scammers. Some sites prompt users to authorize payments or confirm their identity, the final step needed to drain the bank account. As mentioned, it takes only minutes for accounts to be cleared out.
Sometimes, this escalates. Scammers impersonate bank representatives to induce panic, making it harder to detect the threat. They pressure victims to move funds to “safe” accounts. By the time people realize something is wrong and contact their bank, the scammers have already succeeded.
Why Your Bank’s Defenses Can’t Help
Traditional defenses, like email filters, anti-phishing toolbars, or SMS alerts, are often bypassed. QR codes embedded in images aren’t scanned for phishing content. Even secure HTTPS certificates can’t confirm a site’s legitimacy beyond basic checks. A cybersecurity professor explained, “Hackers rely on urgency. People don’t pause to verify legitimate sources.”
What You Can Do Now to Avoid It
Stay vigilant with these steps: inspect the QR code before scanning. Look for signs of tampering, such as stickers placed over existing codes or awkwardly positioned QR codes, which may indicate they’re not legitimate. Use official apps instead of scanning codes—you’re much safer with a trusted source. If you’ve scanned a code, verify the URL. If you see random words or misspellings, ensure it uses HTTPS. Never enter personal or financial data after scanning unless you’re certain of the source. Finally, monitor bank alerts actively. If any unauthorized transaction occurs, notify your bank immediately.
Why the Risk Continues to Grow
Quishing is highly appealing to organized crime due to its low cost, high return, and low detectability. As regulators and financial institutions issue warnings, scammers shift to new public surfaces like parking lots, delivery notices, flyers, and grocery stores, where QR codes remain hidden and trusted. The public isn’t fully aware of how quickly this scam is spreading. Awareness campaigns, unfortunately, lag behind.
Awareness Is Vital
This scam isn’t hypothetical – it’s already affected tens of millions. QR code phishing is nearly invisible, making it so dangerous. You might think you’re just paying for everyday items, but you could be handing over your bank and personal data. Protect yourself by scanning only trusted codes, double-checking URLs, and refusing to enter sensitive information. If something feels off, don’t scan. When in doubt, go directly to the official site. In this day and age, vigilance is our best defense.