Remind-R
See Remind-R in action
← All articles
Office & IT basics

Quishing: when the QR code becomes the bait

Quishing replaces the classic phishing link with a malicious QR code — the URL stays hidden until after the scan. The reflexes recommended by Safeonweb (CCB) and how to report a suspicious message.

Rédaction Remind-R · 16/07/2026 · 3 min
Share: LinkedIn X Facebook WhatsApp Email

The QR code as a new phishing vector

"Quishing" — a contraction of "QR code" and "phishing" — is a scam in which fraudsters encourage their victims to scan malicious QR codes. According to Safeonweb, the awareness service of the Centre for Cyber Security Belgium (CCB), such a code redirects to a phishing website or triggers the execution of a malicious program.

The typical scenario is alarmingly simple. The attacker generates a booby-trapped QR code, then places it in a public space or sends it by email, messaging or social media, disguised as an attractive offer or a supposedly essential update. The victim scans the code with a smartphone and is redirected to the fraudulent site — or the malware is silently installed on the device.

A blind spot the workplace cannot ignore

The technique's strength lies in an asymmetry: unlike a link in an email, a QR code does not reveal its destination URL before being scanned, which makes verification far harder. Safeonweb documented this shift with the very first fake messages sent in the name of grid operator Fluvius: the subject line promised compensation, and the classic link had been replaced by a QR code with helpful scanning instructions. The outcome was identical to clicking a poisoned link: a fraudulent website harvesting personal data.

Yet QR codes have become ubiquitous in professional life — posters, visitor badges, invoices, menus, charging points. That very familiarity works against vigilance: scanning has become a reflex gesture, which is exactly what the fraudster is counting on.

The four reflexes recommended by Safeonweb

Reporting: a small gesture that protects others

As with phishing emails, Safeonweb invites you to forward messages containing a suspicious QR code to suspicious@safeonweb.be. The analysis is fully automated: malicious URLs that are detected are passed on to Google Safe Browsing and Microsoft SmartScreen, which most browsers use to warn visitors. In 2022, six million messages were forwarded to the CCB in this way. Suspicious text messages can also be reported: simply forwarding a screenshot is enough, as the CCB's technology detects links inside images. Do not expect a personal reply — only an automatic acknowledgment is sent.

If you scanned anyway

Do not fill in any field, never give out personal codes and terminate any interaction. If you entered a password that you also use elsewhere, change it immediately. In the event of financial loss or shared banking details, Safeonweb recommends filing a report with the local police straight away and contacting your bank and/or Card Stop on 078 170 170.

The essential safeguard remains recurring awareness training. Adding quishing to basic IT-security courses — alongside classic phishing — turns a blind spot into a collective reflex.

Ask an AI about this article

Sources

  1. Beware of Quishing: the new phishing technique — Safeonweb / Centre for Cyber Security Belgium (CCB)
  2. What is suspicious@safeonweb.be? — Safeonweb / Centre for Cyber Security Belgium (CCB)
  3. Beware of new form of phishing: fake messages with QR code — Safeonweb / Centre for Cyber Security Belgium (CCB)
Refreshes the article based on the latest sources (once per day).
Article written with the help of artificial intelligence (in accordance with the EU AI Act). Information provided for guidance only, to be validated by a professional before any decision. Sources are listed above.