skip to log on skip to main content
VoiceOver users please use the tab key when navigating expanded menus
Article related to:

Types of scams

What is Quishing? QR code scams explained

Security specialist

2026-06-25 04:30

Estimated reading time

5 min

Key points:

  • Quishing uses QR codes to scam you by sending you to fake websites or harmful downloads.
  • QR codes can hide dangerous links, making scams harder to spot.
  • Scammers place QR codes in emails, messages, or public places to trick people into scanning them.

Can you spot a QR code scam?

A quick scan might seem harmless, but it could lead to a fake website designed to steal your personal or payment details. These QR code scams are becoming more common as cybercriminals take advantage of how easy it is to trust and scan.

Understanding how quishing works is key to staying safe online.

What is quishing, or a QR code scam?

Quishing, a term that combines QR and phishing, is a type of cyber-attack where criminals use QR codes to trick people into harmful actions.

These fraudulent QR codes may appear in emails, printed materials, or across digital platforms. When scanned, they can direct users to fake websites or trigger unsafe downloads.

Because QR codes hide the actual web address, it can be harder to identify suspicious links before interacting with them.

What is a QR code?

A QR (Quick Response) code is a type of two-dimensional barcode that can be scanned using a smartphone or device with a camera. It provides a quick and convenient way to access information with just a quick scan.

How is a quishing different from text-based phishing?

While both are phishing attacks, the main difference is the delivery method:

  • Text-based phishing uses links in emails or messages.
  • Quishing hides the malicious link inside a QR code, making it harder to detect.

Why are quishing attacks a concern?

QR codes are widely used, from restaurant menus and parking meters to deliveries and event check-ins. Their popularity has made them a common target for scammers.

Here’s why QR code scams can be risky:

  • Hard to spot scams: QR codes often hide the full web link, making it less obvious where they lead before scanning.
  • Fake codes in public places: Scammers may place fake QR codes over real ones in locations like cafes, car parks, or posters.
  • Tricky across devices: A QR code might be received on one device (e.g. work laptop) but scanned on another (e.g. personal phone). This type of device crossover may not be fully covered by security tools, making risks more difficult to detect and manage.

Because of these risks, it’s not always obvious when a QR code is unsafe - making quishing attacks an increasing concern for everyday users.

How can you help reduce the risk of a quishing attack?

Although no solution is completely foolproof, there are several practices that may help individuals and organisations reduce the risk of being affected by a quishing attack:

  • Check the web address displayed after scanning a QR code and before proceeding. If the web address seems suspicious or unusual, it may be safer to avoid interacting with it.
  • Exercise caution when scanning QR codes, especially those that appear unexpectedly or are associated with time-sensitive requests.
  • Consider typing web addresses manually if prompted to log in or make a payment, particularly for sensitive transactions.
  • Use official app stores rather than QR codes when downloading applications.
  • Stay current with device updates and security patches, which may help limit exposure to known vulnerabilities.
  • Promote awareness and training among employees, friends, and family about the potential risks related to QR code misuse.
  • Explore tools such as secure QR code generators when distributing your own QR codes to help reduce the risk of tampering.
  • Enable multi-factor authentication for all accounts you have, where possible.

At the end of the day, it’s really about staying curious and informed. Asking a few questions before you scan can sometimes make a big difference.

How to spot a QR code scam?

  • The message urges you to act quickly or threatens consequences.
  • The QR code comes from an unknown or suspicious source.
  • The website you land on looks unusual or asks for sensitive information.
  • The QR code is placed over another code or sticker in public.

What happens if you scan a fraudulent QR code?

If you think you have been scammed, first of all, try not to blame yourself. Even tech-savvy people sometimes scan the wrong QR code without thinking, and can find themselves caught in a scam.

  • If you have shared financial information or believe you have transferred money to a cybercriminal, notify your bank immediately. If you are an ANZ customer, please contact us immediately to report the fraud.
  • If you shared credit card details, block or cancel those cards immediately. If your cards are with ANZ, you can do this through the app. Learn more.
  • Change passwords for all accounts that may have been compromised, including banking, email, and social media accounts.

Who can you contact if you’ve been impacted by a QR code scam?

  • Report the QR code scam to the Police through the Australian Signals Directorate’s ReportCyber portal. This resource is there for reports of scams where money or personal information has been lost.
  • Help others by reporting to Scamwatch to help them prevent future losses, monitor trends and educate the population about emerging threats.
  • For phishing or identity theft associated with government accounts such as Centrelink, Medicare, or Child Support, contact the Services Australia Scams and Identity Helpdesk on 1800 941 126 or visit their website.
  • You can also contact IDCare, a not-for-profit organisation that provides support to those experiencing identity and cyber security concerns.

Final thoughts

QR codes can be super handy, and many of them are likely safe. But like anything online, a little awareness can go a long way. If something feels off, it might be worth checking twice before scanning once.

anzcomau:content-hubs/security/scams
What is Quishing? QR code scams explained
ANZ
Security specialist
2026-06-25
/content/dam/anzcomau/images/security-hub/types-of-scams/qr-code-scams-banner-1200x800.png

Protect your virtual valuables

Stay safe online and protect yourself with the cyber security PACT – simple guidelines to help you stay one step ahead of the scammers.

Learn more

 

 

The information set out above is general in nature and has been prepared without taking into account your objectives, financial situation or needs. Before acting on the information, you should consider whether the information is appropriate for you having regard to your objectives, financial situation and needs. By providing this information ANZ does not intend to provide any financial advice or other advice or recommendations. You should seek independent financial, legal, tax and other relevant advice having regard to your particular circumstances.

Top