The QR code as a new phishing vector
"Quishing" — a contraction of "QR code" and "phishing" — is a scam in which fraudsters encourage their victims to scan malicious QR codes. According to Safeonweb, the awareness service of the Centre for Cyber Security Belgium (CCB), such a code redirects to a phishing website or triggers the execution of a malicious program.
The typical scenario is alarmingly simple. The attacker generates a booby-trapped QR code, then places it in a public space or sends it by email, messaging or social media, disguised as an attractive offer or a supposedly essential update. The victim scans the code with a smartphone and is redirected to the fraudulent site — or the malware is silently installed on the device.
A blind spot the workplace cannot ignore
The technique's strength lies in an asymmetry: unlike a link in an email, a QR code does not reveal its destination URL before being scanned, which makes verification far harder. Safeonweb documented this shift with the very first fake messages sent in the name of grid operator Fluvius: the subject line promised compensation, and the classic link had been replaced by a QR code with helpful scanning instructions. The outcome was identical to clicking a poisoned link: a fraudulent website harvesting personal data.
Yet QR codes have become ubiquitous in professional life — posters, visitor badges, invoices, menus, charging points. That very familiarity works against vigilance: scanning has become a reflex gesture, which is exactly what the fraudster is counting on.
The four reflexes recommended by Safeonweb
- Treat every QR code like an unknown link. The same caution applies as with an unexpected link in an email or text message.
- Check the source. A QR code received by email or via social media deserves a provenance check before any scan.
- Use a secure scanner. Some scanning applications display the URL and verify the safety of the link before opening it.
- Keep devices up to date. Regularly updating devices and applications protects against known vulnerabilities that attackers exploit.
Reporting: a small gesture that protects others
As with phishing emails, Safeonweb invites you to forward messages containing a suspicious QR code to suspicious@safeonweb.be. The analysis is fully automated: malicious URLs that are detected are passed on to Google Safe Browsing and Microsoft SmartScreen, which most browsers use to warn visitors. In 2022, six million messages were forwarded to the CCB in this way. Suspicious text messages can also be reported: simply forwarding a screenshot is enough, as the CCB's technology detects links inside images. Do not expect a personal reply — only an automatic acknowledgment is sent.
If you scanned anyway
Do not fill in any field, never give out personal codes and terminate any interaction. If you entered a password that you also use elsewhere, change it immediately. In the event of financial loss or shared banking details, Safeonweb recommends filing a report with the local police straight away and contacting your bank and/or Card Stop on 078 170 170.
The essential safeguard remains recurring awareness training. Adding quishing to basic IT-security courses — alongside classic phishing — turns a blind spot into a collective reflex.