It was only a few short years ago that scanning QR codes felt awkward and even a little suspicious. Today, you probably scanned three or four before lunch – parking meters, restaurant menus, charging stations – they’re everywhere.
QR codes themselves are just a delivery mechanism, like a hyperlink. The technology is not the problem. The problem is that bad actors have learned to weaponize them the same way they weaponize email links – and most people don’t realize it yet.
That’s where “quishing” comes in. It’s phishing delivered through a QR code, and since the FBI began issuing warnings about it in 2024, reported attacks have jumped 600%. Small businesses are being hit hardest.
Here’s why it’s effective: You point your phone at a square of black-and-white dots, and you have no idea where it’s about to send you until you’re already there. The scam bypasses your company’s phishing defenses entirely because it never touches your email filters.
Three common ways you might encounter a malicious QR code:
- Someone prints a fake QR sticker and places it over the real one on a parking meter, restaurant menu, or similar surface.
- An attacker embeds a QR code inside a PDF email attachment, slipping past filters that only scan text links.
- A flyer, business card, or conference poster directs you to a fake landing page that drops malware or steals your login credentials.
Three precautions to help you steer clear:
- Think context, not just code. Scanning a QR code at a restaurant you chose is very different from scanning one that arrived in an email or a PDF you weren’t expecting. Treat unsolicited QR codes the same way you’d treat a suspicious link – skip it and go directly to the company’s website instead.
- Never make payments through a QR code in a document. Only use known login pages that you type into the browser yourself.
- Look for tampering. Does it look like a sticker laid over another sticker? Run your fingernail along the edge. If it peels away, walk away. Genuine QR codes are usually printed onto the surface, not stuck on top.
The goal isn’t to avoid QR codes – it’s to use them with the same awareness you’d apply to any link. A little skepticism in the right moments goes a long way.
To learn more about keeping your business systems and data secure, contact me at CMIT Solutions today. And yes, our QR code is legit.