Quishing (QR-Phishing)

Modified on Mon, 18 Mar 2024 at 10:15 AM

Quishing, or QR-phishing, is a scheme where scammers create QR codes that hide harmful web links. These QR codes are circulated through channels like email, messages, social media, and even physical flyers for people to scan. Upon scanning, users are redirected to counterfeit websites that may initiate the download of malicious content or request sensitive information, including login credentials or financial details. These QR codes are proven to be effective because they can bypass traditional email security checks, making them harder to detect. 


Common Squishing Modus Operandi


1. Phishing emails that contain fake QR codes

Scammers pretend to be a trusted organization and ask victims to scan the QR code in their email. If scanned, victims will end up being redirected to fake website that looks legitimate. These phishing emails and messages will always create a sense of urgency such as online banking payment did not process, account locked, etc.


2. QR Code for Deals that Too-Good-To-Be-True

Scammer may contact victims offering a limited time “giveaway” by scanning the given QR code. However, you’ll never get what is promised. Scammers may also invite victims to join unrealistic investment and ask to send them money.


3. QR Code Package Scams

Scammers send a package that victims never ordered. On the box, that’s a QR code the victim can scan for more information or returning the item. The QR code will take potential victims to phishing websites that ask for personal information, like credit card number.


4. QR Code Payment Scams

QR codes are used by real businesses for easy payments. Scammers can replace a fake RQR code at the convenience store or restaurant. They can also place QR codes in public areas, for instance, scammers might put signs in parking lots, saying that visitors can pay by scanning a QR code. It might take you to a fake payment site.

Sample of Quishing




Things to keep in mind:

  • Check the QR code link. After scanning a QR code, your phone will preview the website link. Make sure it looks legitimate and isn’t a misspelled URL like "celcomdigi.com" instead of "celcomdgi.com."
  • Check the website. Inspect the URL carefully. Look out for spelling mistakes or anything that seems wrong, which could be a sign of a phishing website. Also, look for a lock symbol or "https://" in the website address – these are signs of secure websites.
  • Verify the validity of the sender. If you get a weird email, letter or message with a QR code from a company, call them to make sure it's legit. 
  • Watch for tampering. If you see a QR code in a public place, like a restaurant, make sure there's no sticker on top of it. Scammers might have put it there.
  • Never scan a QR code from an unfamiliar source. Don't scan QR codes from strangers whether you meet them online or in person. Be cautious if someone offers you something too good to be true such as free money or products by scanning their QR code.
  • Do not make rush decisions and refuse pressure to act immediately. Take your time to make an informed decision.

To report this issue, please get in touch with us.

Rest assured that CelcomDigi is actively taking measures to ensure our customers do not fall prey to such scams.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article