Phishing Vs Quishing…I Was Almost Quished!
I Was Almost Quished!
You've seen a phishing email—those dodgy messages pretending to be from your bank, a delivery company, or even your CEO. But this isn’t just a digital problem; it’s crept into the real world too.
A few weeks ago, I drove into London, my event was due to end after the last train home. I parked in a busy car park—nothing unusual. Normally, I’d use Ringo or PayByPhone, but this time, the car park only accepted payments through a relatively unknown app called ConnectCashless. No problem—as with most scenarios, there was a QR code conveniently placed on the sign to take me straight to the payment page.
As I tried to navigate through the unfamiliar interface, something didn't sit right. The QR code wasn’t actually part of the sign—it had been stuck over the real one! The signed been tampered with, the QR was fake taking me, the busy, unsuspecting driver to a 'similar' but VERY different website, waiting for me to hand over my card details.
This was a scam, not an online scam—it was phishing in the physical world. It was quishing.
What is Quishing?
As QR codes become increasingly common across industries, they’ve also become a new target for cybercriminals through quishing—a type of QR code phishing attack. Quishing takes advantage of the trust users place in QR codes by embedding malicious links that, when scanned, direct users to phishing sites designed to steal personal information, passwords, or access to secure systems.
These scams are often hard to spot because they appear in everyday contexts like restaurants, parking meters, or social media ads. Hackers cleverly disguise these attacks to resemble trusted sources, making it essential for organisations and individuals to recognise the risks and stay vigilant.
Cybercriminals have found that quishing can bypass traditional email security filters, making it an attractive attack method. Unlike email where there are various systems in place, plus we all are a lot more vigilant, with a single scan of a QR code, a user can be unknowingly redirected to a fake website or even download malware onto their device. As QR codes continue to be widely adopted, quishing is becoming an increasingly low tech yet sophisticated cybersecurity threat.
Where Quishing is Happening
🚗 Parking Meters – Fake QR codes over official ones, directing users to phishing sites that steal card details instead of processing payment.
🍽️ Restaurant Menus – QR codes for ordering food are being swapped out for fake ones that redirect users to fraudulent sites to harvest payment information.
🎁 Special Offers & Promotions – QR codes found on social media, compromised websites, or emails/texts often lead to fake websites designed to steal personal and payment details.
🏛️ Business & Government Scams – Fake Companies House letters with QR codes requesting payment for fraudulent services.
🔐 Security Authentication Emails – Scammers send fake Microsoft authentication requests with QR codes designed to steal login credentials and MFA codes.
🎡 Exhibitions & Events – Criminals insert their own branded promotional materials at business expos, using QR codes that lead to malware or phishing pages.
How to Quash Quishing Attempts—Online and Offline
Phishing works because it exploits trust and distraction. Here’s how to stay ahead of scammers:
🔹 Verify Any QR Codes Before You Use Them – If you’re not expecting to scan a QR code, don’t do it. Avoid QR codes shared via social media or emailed unexpectedly.
🔹 Physically Inspect QR Codes – If a QR code looks like a sticker, it could be a fraud. Where possible, type in the official website.
🔹 Check the URL or Source – Whether it’s an email, a text message, or a QR code, look closely before clicking. Fake sites often use slightly altered domains (e.g., paypa1.com instead of paypal.com).
🔹 Be Suspicious of Urgency – "Your account will be locked in 24 hours!" If a message is rushing you into action, take a step back.
🔹 Use Advanced Security Tools – Businesses should have email security filters that detect malicious QR codes, MFA to prevent unauthorised access, and password security best practices.
🔹 Employee Cyber Awareness Training – Regular cybersecurity training ensures staff can spot phishing attempts, including quishing.
Final Thought: Think Before You Click (or Scan)
The lines between cyber and real-world scams are blurring, and phishing isn’t just lurking in your inbox anymore—it’s on signs, restaurant tables, parking meters, and even official-looking letters. The best way forward, awareness and scepticism.
📩 Need a cybersecurity auditor staff training to protect your business from phishing attacks? Let’s talk.
Have a great week
Richard
Vitiola Technology
01306 298 928