Editor’s note: WRAL TechWire contributing writer Jen McFarland has  20+ years working in IT with experiences across a range of tools and technologies. She wants to help small businesses and teams design, improve, and maintain the technology that helps them succeed. In 2022, she incorporated Marit Digital.


RALEIGH — In 2022 nearly 89 million people scanned a QR code from their mobile device. That number is expected to top 95 million in 2023 and keep rising. QR codes, the boxy black-and-white barcodes that can store information, are a popular method of marketing.

Use of the codes has boomed in recent years as more retailers and restaurants have tried to share information without sharing COVID germs. And with the increased popularity, tech companies have embraced improved experiences for QR code scanning.

The emerging downside, however, is the up-and-coming phenomenon known as “quishing.”

QR Codes, iPhones & you: Next iOS release will make scanning easier

What is quishing?

The new term is a mash-up of “QR code” (which stands for “quick response code”) and “phishing”, where bad actors attempt to “fish” for a user’s personal information or passwords. These QR codes direct people to websites for similar goals, attempting to lure users into a fake login and collect IDs and passwords. Alternately they might facilitate a malware download to your device, compromising it.

These attacks are on the rise – understandably since the concept is an attractive one for hackers. We’re used to looking out for phishing attacks but QR codes are a new vector many potential victims are unaware of. Adding to the benefits is the fact that there’s very little effort required to make the QR code. They’re quick to generate and look legit without extra effort.

QR codes are incredibly easy to come by, with a multitude of websites dedicated to their creation for free. And while it’s possible to dress up your QR code with a logo, colors, or even shapes, the vast majority remain unbranded.

Then there’s the delivery. A QR code might land in your inbox and raise suspicion alongside a poorly written email, but more often these codes will pop up in the real world. QR code usage is more fluid, often part of processes like ticketing systems, contactless payment options, or 2-factor authentication. That also means dealing with real-world distractions that may stop you from second-guessing whether clicking on this page or entering your info is a good idea.

California resorts to QR codes in fight against illicit cannabis sales

Good habits help

Aside from not scanning QR codes anymore, what can you do?

The first step is one you’ve probably taken by reading this article, and that is having a healthy dose of skepticism. If the QR code is printed in your restaurant menu, it’s probably ok. If it’s a sticker on the side of a telephone pole without context, maybe think twice.

Some other tips to keep you safe:

  • Look for visual cues that the QR “belongs” to a specific company with some kind of branding element, but be aware that this too can be faked.
  • Depending on your device, the screen may pop up a preview of the URL you’re about to open. Double-check to make sure it’s the domain you expect, if possible.
  • Keep your devices up-to-date. Newer software is coming out with tools that can block fraudulent links.

And if all else fails, always make sure you’re keeping your accounts secure with 2-factor authentication or other security measures. These will help keep your accounts secure, even if your password is compromised.