University of Colorado Anschutz Medical Campus

Information Security and IT Compliance News

QR Phishing Scams

Aug 18, 2025

Image of a laptop with a QR code and someone scanning it but there's a red warning sign showing that it is a bad code.

While you continue to maintain vigilance on phishing (email) and smishing (text) scams, it’s important to also be aware of a newer threat called QR phishing or “quishing”. “Quishing” is a phishing scam that uses a QR code to compromise your credentials or data.

How QR Phishing Works:

QR phishing or “quishing” is when a bad actor manipulates a QR code to redirect users to a malicious website or to download malware. It works the same as if you clicked on a malicious link in an email or text message.

How to Identify a Malicious QR Code:

Check the Source
- Trusted origin: Only scan QR codes from known, reputable sources (e.g., official posters, verified emails).
- Suspicious placement: Be wary of QR codes placed in public areas, especially if they look like stickers covering something else.
Preview the URL and look for:
- Misspelled domains (e.g., g00gle.com)
- Unusual or shortened URLs (e.g., bit.ly, tinyurl)—these can hide the true destination.
Avoid Automatic Actions
- Some QR codes can initiate actions like sending texts, making calls, or connecting to Wi-Fi. Be cautious if the scanner prompts you to perform such actions without explanation.
Look for Tampering
- If a QR code is on a sign, poster, or product packaging, check if it looks like it was added later or covers another code.
- Scammers often place fake QR stickers over legitimate ones.

These may be easier to spot on a large screen vs a cell phone, so if you are on your phone pay extra close attention and zoom in if necessary.

If You Catch a QR Phishing Attempt:

If you identify a QR phishing attempt, follow the same practice for reporting phishing.