QR Code Security & Privacy

QRishing: QR Code 피싱의 작동 원리

<\/script>\n
'; }, get iframeSnippet() { const domain = 'qrcodefyi.com'; const type = 'guide'; const slug = 'qrishing-explained'; return ''; }, get activeSnippet() { return this.method === 'script' ? this.scriptSnippet : this.iframeSnippet; }, copySnippet() { navigator.clipboard.writeText(this.activeSnippet).then(() => { this.copied = true; setTimeout(() => { this.copied = false; }, 2000); }); } }" @keydown.escape.window="open = false" @click.outside="open = false">

Embed This Widget

Theme


      
    


    
    

      Widget powered by
      .
      Free, no account required.
    

  




  
  
  
How attackers use QR codes for phishing: fake parking meters, restaurant stickers, email QR codes, and credential theft.

  
  

    
  








  
  

    
    
      
      
  1. 
        QRishing: How QR Code Phishing Works
      
    2. 
      
      
  2. 
        Common Attack Vectors
      
    3. 
      
      
  3. 
        How QRishing Succeeds
      
    4. 
      
      
  4. 
        Defence Strategies
      
    5. 
      
      
  5. 
        Key Takeaways
      
    6. 
      
    

  









  
  

  
  

    
    

      
QRishing: How QR Code Phishing Works


QRishing (QR code phishing) exploits the inherent trust gap in QR codes — users cannot read the encoded URL before scanning. Attackers use this to redirect victims to credential-harvesting sites, malware downloads, and fraudulent payment pages.


Common Attack Vectors


Sticker overlays: Attackers place a malicious QR code sticker over a legitimate one on parking meters, restaurant tables, or public signage. The victim trusts the physical context and scans without suspicion.


Fake parking meters: Fraudulent QR codes on parking meter stickers redirect to fake payment pages that steal credit card information.


Email QR codes: Phishing emails containing QR codes bypass traditional URL-based email security filters — the malicious URL is encoded in the image, not in clickable text.


Business card substitution: Fake business cards with QR codes linking to credential-harvesting pages.


How QRishing Succeeds


    

  1. The victim cannot visually inspect the URL before scanning
    2. 

  2. The physical context provides false trust (official-looking sticker on a legitimate device)
    3. 

  3. Mobile browsers may not prominently display the full URL
    4. 

  4. Users are habituated to scanning without checking — especially post-COVID
    5. 

  5. URL shorteners further obscure the destination
    6. 



Defence Strategies


For consumers:
- Always check the URL preview before opening (iOS and Android show the URL after scanning)
- Look for signs of sticker tampering (raised edges, misalignment, different paper stock)
- Be suspicious of QR codes in emails — legitimate organisations rarely use them for login
- Use a QR scanner app that highlights suspicious URLs


For businesses deploying QR codes:
- Use your own branded domain (not shorteners) so users can recognise it
- Consider tamper-evident materials for public QR codes
- Include the destination URL in readable text near the QR code
- Use HTTPS exclusively and consider HSTS preloading


Key Takeaways


    

  • QRishing exploits the inability to visually inspect encoded URLs
    • 

  • Sticker overlay attacks on public infrastructure are the most common vector
    • 

  • Email QR codes bypass traditional phishing filters
    • 

  • Always preview the URL before opening after scanning
    • 

  • Businesses should use branded domains and tamper-evident materials
    •