QR codes moved from novelty to daily habit in a few short years. Customers scan them on restaurant tables, parking meters, product packaging, invoices and posters without a second thought. That trust is exactly what criminals are exploiting through a technique now widely known as quishing: QR code phishing.
Unlike a suspicious email link, a QR code gives no visual clue about where it leads until the phone's camera resolves it, and by then the browser may already be open. For businesses that rely on QR codes for menus, payments, ticketing or marketing, understanding quishing is no longer optional. It is a customer trust and brand safety issue.
What quishing actually looks like
Quishing attacks generally fall into a few recurring patterns:
Sticker overlays. A fraudulent QR sticker is placed directly on top of a legitimate one, on a parking meter, a menu, a poster or a delivery locker.
Fake compliance or payment notices. Printed letters or flyers mimic tax offices, parcel carriers or utility companies, asking the recipient to scan a code to "confirm" a payment or fine.
Malicious posters and flyers in public places. These often reference free Wi-Fi, prize draws or event check-ins to encourage an instant scan.
Email and PDF quishing. A QR code embedded in a document or email bypasses many spam filters and link scanners because it is an image, not clickable text, yet it still redirects to a credential-harvesting page once scanned.
The end goal is usually one of two things: harvesting login credentials or payment details through a fake site, or installing malicious configuration profiles and apps on a mobile device.
Why QR codes are an effective attack surface
Several factors make QR codes attractive to attackers compared with traditional phishing links.
No visible URL before the scan. Users cannot hover over a QR code the way they can hover over a hyperlink to preview the destination.
Physical placement bypasses digital filters. A sticker on a real-world object is not scanned by an email security gateway or a browser's phishing blocklist.
Habitual, low-friction trust. Scanning a QR code has become an automatic action, similar to tapping a notification, with little conscious evaluation of risk.
Mobile context reduces scrutiny. Small screens make it harder to read full URLs, spot spelling mistakes in domains, or check for HTTPS and certificate details.
Consumer trust research consistently shows that people judge the legitimacy of a QR code by its physical context, a code on an official-looking menu or government notice is assumed safe, rather than by verifying the underlying link. This is the exact assumption that quishing exploits.
How customers and staff can spot a fake QR code
Practical, teachable habits reduce risk significantly, even without technical tools:
Inspect the code physically. A sticker placed over another code, uneven edges, a different print quality or gloss, or a code that looks slightly off-position are all warning signs.
Check the preview URL before opening it. Most modern phone cameras show the destination link before opening it. Encourage customers to read the full domain, not just the first few characters.
Be wary of urgency and unexpected codes. Fines, "unpaid parking", "confirm your parcel" and limited-time offers are common pressure tactics designed to short-circuit careful reading.
Avoid entering credentials or payment details immediately after scanning. If a QR code leads to a login page, it is safer to navigate to the official site directly rather than typing a password on the linked page.
Look for a recognisable, branded domain. A QR code that resolves to a domain matching the business, rather than a generic or unrelated shortener, is far easier to trust and verify at a glance.
This last point is where businesses have real control over the outcome, and it leads directly to one of the most effective structural defences against quishing.
Branded short domains: a structural defence, not just a design choice
Many QR code generators route every code through the same generic short domain, shared across millions of unrelated codes from unrelated accounts. This creates two problems. First, customers cannot tell your legitimate code from another business's code, or from a malicious one, because the domain itself carries no brand signal. Second, generic shorteners are frequently abused, which means some of them end up flagged or blocked by browsers and security tools over time, sometimes affecting entirely legitimate codes caught in the same domain reputation.
A branded short domain, for example go.yourbusiness.eu instead of a generic shared shortener, gives customers something concrete to verify. It reinforces that the code was issued by the business they already trust, and it makes spoofing harder because attackers would need to mimic your specific domain rather than piggyback on a generic one that already looks unfamiliar to everyone.
Combined with visible link previews on modern phones, a branded domain turns a "blind scan" into something closer to reading a normal, checkable web address. That single change closes a large part of the trust gap that quishing relies on.
How EUQR reduces quishing risk by design
EUQR was built around the assumption that QR codes are now critical infrastructure for customer interactions, not a throwaway marketing gimmick, and that they should be treated with the same care as any other public-facing digital asset. A few design decisions matter directly for quishing resistance:
EU-hosted infrastructure. Data and redirect logic stay within the EU, which matters both for GDPR compliance and for giving businesses clear, predictable control over where customer scan data is processed.
Privacy-first data handling. EUQR avoids unnecessary tracking and third-party data sharing, which reduces the amount of customer information available to attackers even if a code or account were ever compromised.
Support for branded, verifiable short domains. Businesses can use their own domain for QR redirects instead of a generic shared shortener, giving customers a recognisable, checkable destination.
Dynamic code management. Because the destination behind a code can be updated and monitored centrally, businesses can react quickly if a code is ever reported as tampered with or misused, without needing to reprint every physical instance.
Clear ownership and audit trail. Codes are tied to a verified account, making it straightforward to demonstrate which codes are genuinely issued by the business if a dispute or fraud report arises.
None of this replaces basic customer vigilance, but it removes several of the structural weaknesses that quishing attacks depend on: anonymous shared domains, opaque data handling and no clear way to verify who actually issued a given code.
Conclusion
Quishing works because QR codes inherit trust from their physical context rather than earning it through a verifiable digital link. Businesses that want to protect customers need to address both sides of that gap: training customers and staff to check previews and question urgency, and choosing QR infrastructure that offers branded domains, EU-based hosting and privacy-conscious data practices. Treating QR codes as a serious part of your digital footprint, rather than an afterthought, is the most reliable way to keep the convenience without inheriting the risk.