Quishing - Social Engineering
2025-08-13

Overview

Quishing (QR Code Phishing) is a social engineering technique in which attackers use manipulated QR codes
to redirect users to fraudulent websites or distribute malware.
This method exploits the trust in QR codes and the convenience of mobile device usage.

Malicious QR codes are often placed over legitimate ones or embedded in tampered documents, posters, or marketing materials.

Typical Scenario

An attacker places a prepared QR code in a location where a legitimate code is expected,
such as on a shipping label, flyer, or restaurant menu.
When scanned, the code opens a fake website that closely resembles the original,
prompting the victim to enter sensitive information or download malicious software.

Example:

A customer scans a QR code on a “Parking Payment” sign to pay quickly.
Instead of leading to the official payment portal, the code directs them to a phishing site
requesting credit card details.

Risks and Impacts

A successful quishing attack can lead to:

  • Theft of login credentials or payment information
  • Installation of malware on mobile devices
  • Identity theft
  • Financial losses
  • Exposure of sensitive data to third parties

Preventive Measures

  1. Physical inspection – Check if the QR code has been placed over or altered from the original.
  2. URL verification – Compare the scanned address with the URL printed on the document before opening it.
  3. Technical safeguards – Use QR scanning apps with integrated URL verification features.
  4. Awareness training – Educate employees and the public about quishing risks.
  5. Avoid insecure networks – Do not enter sensitive data over open Wi-Fi connections.

Standards and Best Practices

  • ISO/IEC 27001 – Annex A.12 & A.13: Communications Security
  • NIST SP 800-53 – Awareness and Training (AT), System and Communications Protection (SC)
  • BSI IT-Grundschutz – Module CON.1 “Email and Messaging Usage” (applicable to QR code usage)

Conclusion

Quishing is an emerging social engineering threat
driven by the growing adoption of QR codes.
Effective protection relies on a combination of technical verification,
critical user inspection, and targeted awareness initiatives.