QR Phishing Scams
Aug 18, 2025
How QR Phishing Works:
QR phishing or “quishing” is when a bad actor manipulates a QR code to redirect users to a malicious website or to download malware. It works the same as if you clicked on a malicious link in an email or text message.
How to Identify a Malicious QR Code:
- Check the Source
- Trusted origin: Only scan QR codes from known, reputable sources (e.g., official posters, verified emails).
- Suspicious placement: Be wary of QR codes placed in public areas, especially if they look like stickers covering something else.
- Preview the URL and look for:
- Misspelled domains (e.g., g00gle.com)
- Unusual or shortened URLs (e.g., bit.ly, tinyurl)—these can hide the true destination.
- Avoid Automatic Actions
- Some QR codes can initiate actions like sending texts, making calls, or connecting to Wi-Fi. Be cautious if the scanner prompts you to perform such actions without explanation.
- Look for Tampering
- If a QR code is on a sign, poster, or product packaging, check if it looks like it was added later or covers another code.
- Scammers often place fake QR stickers over legitimate ones.
If You Catch a QR Phishing Attempt:
If you identify a QR phishing attempt, follow the same practice for reporting phishing.
- Do NOT click on any links.
- Do NOT enter in any information.
- Do NOT provide your credentials.
- Stop all actions.
- If on a university device, contact the OIT Service Desk and report the attack.