// Guides
Quishing — spotting QR-code fraud
Quishing is phishing via QR code: criminals use manipulated codes to lead you to convincing fake pages that harvest banking or login data. A QR code’s destination is not immediately visible — exactly what makes the scheme effective.
Updated: 2026-06-19
Immediate steps
- 1Before scanning, check whether the QR code looks stuck-on or tampered with (parking meters, letters, charging stations).
- 2After scanning, check the displayed target URL before opening it.
- 3Enter no login or banking data on a page opened via a QR code.
- 4For bank/authority pretexts: type the address into the browser yourself, do not use the code.
- 5Treat unexpected QR codes in letters, parcel notices and fake parking tickets with particular caution.
What not to do
- Do not casually scan QR codes from unexpected mail or public spaces.
- Do not install an app just because a QR code prompts you to.
- Do not let urgency (“pay the fee now”) pressure you.
When professional help makes sense
Unsure whether a QR code or its destination is genuine? We check the indicators and assess the risk — before you enter any data.
Get in touchCommon questions
- Is scanning alone dangerous?
- The risk usually arises only on the destination page — when entering data or installing apps. Check the URL and enter nothing.
- Where does quishing occur most?
- At parking meters, in fake bank letters, with parcel notices, fake parking tickets and charging stations.
- How do I check the target URL?
- Most cameras show the URL before opening. Watch for deviating domains and unusual characters.