What makes a QR code different from a URL

A URL is text. You can read it before you click. You see "amazon.com" or "amaz0n-secure-login.cc" with your own eyes and your brain has at least a chance of catching the difference. A QR code is a square of black and white pixels that encodes the same URL - but you cannot read pixels. That single change in format kills every defense built on the assumption that the user sees the destination before committing:

  • Visual instead of textual. The destination is invisible until your camera resolves it, and on most phones, resolution and opening happen at nearly the same moment.
  • No preview before scan. Older phones opened the URL immediately on detection. Modern iOS Camera and Google Lens show a preview banner, but the preview is small, often truncated, and dismissed in the same gesture that opens the page.
  • Opens directly in browser. No email client to flag it, no SMS protocol layer to throttle it. Camera → browser → page, in two seconds.
  • Bypasses email filters. Email security scans URLs as text. A QR code inside an image attached to a PDF is not text - it is an image inside a document. Most filters cannot see it.

That last point is what turned quishing from a curiosity into a 12% slice of all mobile phishing in 18 months. The QR is a smuggling format. It carries a hostile URL past every defense built to read URLs.

The 6 places quishing attacks show up

1. Parking meters

The textbook case. Attackers print high-quality QR stickers and walk through a downtown lot at 2 AM, pasting them on top of the city's legitimate stickers. Austin, Texas police issued a public advisory in late 2024 after dozens of motorists reported fake stickers in the South Congress area. Houston's KHOU news reported the same scam in Q4 2024 across multiple districts. Atlanta and San Antonio followed in early 2025. The fake QR opens a page mimicking ParkMobile or PayByPhone, takes the card details, confirms a fake transaction. The real meter ticks down. The motorist gets both a fraud charge and a parking ticket.

2. Restaurant menus

Almost every casual restaurant moved to QR-code menus post-pandemic. Attackers paste their own QR over the legitimate menu QR on the table. The fake page offers a "free dessert" or "10% off your bill" form that asks for your card to "hold" the discount. The waiter never sees it. The sticker can stay on the table for weeks.

3. Email attachments

The corporate variant and the reason quishing exploded. A PDF attachment titled "Voicemail.pdf" or "Invoice_Q1.pdf" or "Microsoft Authenticator.pdf" contains a single page with a QR code and a sentence: "Scan to listen / view / authenticate." The email gateway scanned the body and the PDF text - neither contained a URL. The QR image inside the PDF inside the email is opaque to most filters. Microsoft's Defender team flagged QR-in-PDF as the single highest-bypass payload in their Q1 2026 report.

4. EV charging stations

EV charging is QR-native - you pull up, scan, pay. Attackers paste a fake sticker over the legitimate one. The fake page mimics ChargePoint, EVgo, or Electrify America, asks for card details to "authorize" the session, the car never charges. Drivers blame the network. Reports surfaced from California and Florida networks throughout 2025.

5. Public WiFi sign-on posters

Airports, hotels, coffee shops post QR codes for guest WiFi. Attackers paste their own sticker nearby. The fake QR opens a captive portal asking for email + password, or connects you to an attacker-controlled access point. Either way, you hand over credentials and a man-in-the-middle position on your traffic.

6. "Pay this invoice" snail-mail letters

The newest variant moved offline entirely. A printed letter arrives with a real-looking utility bill or HOA notice and a QR code "for fast payment." No URL on the letter, no email trail, no spam filter involved. Older homeowners and small business owners are the primary targets - they trust paper mail more than email.

Why QR phishing bypasses email gateways

Email security tools - Proofpoint, Mimecast, Microsoft Defender for Office 365, Google Workspace - all rely on URL extraction. They parse the body, parse attachments, find every URL, look each up against threat intelligence, and rewrite suspicious ones. The parser reads text. A QR code is not text. It is pixels arranged in a Reed-Solomon-encoded matrix that the parser sees as a 2KB PNG attached inside the page-2 stream of a PDF.

The state of the art in 2026 is that the most advanced gateways now OCR images and run QR decoders on attached files. But most do not. Proofpoint's State of the Phish 2026 reports that roughly 50% of quishing emails still reach the inbox at the average mid-market organization, against roughly 3% for ordinary URL phishing. The defender gap is the entire reason attackers are pouring effort into this channel - for every 100 emails sent, they get ~17x more eyeballs.

The 4-step quishing chain

  1. Scan the QR. Camera opens, decodes the matrix, surfaces a URL preview that is either too small to read or instantly tapped past.
  2. Browser opens the fake page. The page is mobile-optimized, loads in under a second, matches the brand visually (ParkMobile, Microsoft, your bank, the restaurant's logo, the charging network).
  3. Page asks for login, card, or personal data. Sometimes one field, sometimes a multi-step form. The first ask is always small ("confirm your email") to reduce friction. Once you start filling, you keep filling.
  4. Data exfil to the attacker. The form posts to a server controlled by the attacker, usually behind Cloudflare or a free hosting CDN to hide the origin. The "success" screen tells you the transaction completed or the parking session started. You leave thinking the task is done. Card test charges hit your account within 20 to 90 minutes.

How to scan a QR safely

  1. Preview the URL before tapping. Modern iOS Camera and Android (Google Lens) both surface a banner with the destination URL after they decode the code. Read it. Do not tap until you have read it.
  2. Read the domain - the part right before the first single slash. If you scanned a "Starbucks" code, the domain should be starbucks.com or a clearly Starbucks-owned subdomain. A domain like starbucks-rewards.co or secure-stbx.app is a scam. Be especially suspicious of unusual top-level domains (.cc, .xyz, .top, .click) for major brands.
  3. If unsure, type the brand domain manually. Open the browser, type parkmobile.io or your restaurant's name yourself. Real venues will accept manual lookup.
  4. Never scan a QR sent by a stranger. Random QR in a DM, on a flyer handed to you, in a comment on a public post - treat as hostile by default.
  5. Disable auto-open if available. On iPhone, leave "Show Detected Text" enabled but always read the URL preview. On Android, prefer Google Lens over third-party scanner apps, which often skip the preview step entirely.

The physical attack: how to spot tampered QR codes in public

  • Sticker over sticker. Run your thumbnail along the edges. A fake QR pasted on top of a real one has a raised edge or a slight color mismatch around the border. The legitimate sticker was applied at install and has settled flush; a fresh attacker sticker sits proud.
  • Mismatched material. Real venue QRs are usually printed on UV-resistant vinyl or laminated paper. Attacker stickers are often glossy address-label stock that does not match the rest of the meter or table.
  • Domain in printed text near the QR. Legitimate venues almost always pair the QR with a printed short URL ("menu.thecornerbistro.com" or "parking.austin.gov"). If the QR is alone with no printed URL fallback, treat it as suspicious. If the printed URL exists, the QR should resolve to the same domain - confirm in the preview banner.
  • Cross-check on a venue staff member or signage. At a restaurant, your server can show you the menu PDF directly. At a parking lot, the city's pay-by-app should be ParkMobile, PayByPhone, Passport, or a named municipal app - never a one-off URL.

If you scanned and entered information

The first hour matters most. Card test charges almost always hit in the 20-90 minute window.

  1. Lock the card immediately. Most bank apps have a one-tap freeze. Order a replacement.
  2. Change any password you typed. If the form asked for an email and password, change that password everywhere you reused it. Enable 2FA.
  3. File a fraud alert with one of the three US credit bureaus (Equifax, Experian, TransUnion) if you typed SSN or date of birth. Free for one year. The other two are notified automatically.
  4. Watch statements daily for two weeks. Dispute any unauthorized charge as fraud. Most cards refund within seven days.
  5. Report to reportfraud.ftc.gov and IC3.gov. The FTC's June 2024 consumer alert on QR codes specifically asks consumers to report quishing attempts to feed enforcement priorities.
  6. Tell the venue. If the bad QR was on a parking meter, restaurant table, or charger, photograph it and report to the venue + local police. Removing the sticker fast saves the next victim.

How browser-layer defense catches the destination page

You cannot scan a QR safely if you cannot read the destination, and most users will not slow down to read the preview banner. The defense that works is at the page-load step: when the browser opens the URL the QR encoded, a scanner can recognize the page is impersonating a known brand on a non-official domain and block before any form input.

SafeBrowz is a free Chrome, Firefox, and Edge extension that does exactly this. On mobile, it works inside Microsoft Edge for Android - so a QR scanned by your iPhone or Android camera that you choose to open in Edge passes through the same 550+ brand database, JavaScript signature detection, and AI content analysis in 100+ languages. When a fake ParkMobile, restaurant menu, charger, or Microsoft Authenticator page loads, it shows a full-screen warning before the form renders. Install SafeBrowz free.

Frequently asked questions

Are QR codes themselves dangerous, or is it just the URL behind them?

It is the URL. A QR code is just an encoded URL - exactly the same risk as any link you click in email or a text. The danger is that you cannot read it before you scan, and the camera-to-browser jump on most phones is faster than your judgment.

How is "quishing" different from regular phishing?

The delivery channel. Phishing uses email links you can read. Smishing uses text links you can read. Quishing hides the URL inside an image - a QR code - so it can travel through email gateways, printed posters, parking meters, and PDFs without being parsed as a URL. The phishing page at the end of the chain is the same.

Should I stop scanning QR codes entirely?

No. QR is now standard for menus, parking, EV charging, ticketing, and authentication. The fix is not to avoid scanning but to always read the URL preview banner before tapping into the destination, and to be skeptical of stickers in public places that look freshly applied.

Why are PDF email attachments with QR codes such a problem?

Because email gateways parse URLs as text. A QR is a pixel pattern inside an image inside a PDF inside an email - three layers of indirection that most filters cannot decode. Proofpoint and Microsoft both report that around 50% of QR-in-PDF phishing emails reach the inbox, versus around 3% of normal URL phishing. That is why corporate quishing exploded in 2025.

Does my iPhone or Android block bad QR codes?

Partially. Both iOS Camera and Android Lens show a URL preview banner after decoding, which is your line of defense. Both also run Safe Browsing lookups (Apple Fraudulent Website Warning, Google Safe Browsing) when the browser opens the URL. But new phishing domains are usually live for 24-72 hours before those databases catch them, which is exactly the window the attacker harvests data in.

The QR code on the parking meter looked official. How would I know?

Check three things: (1) is the sticker pasted on top of another sticker, with a raised edge - peel it back gently with a fingernail, (2) does the URL on the preview banner match a known city or operator domain (austin.gov, parkmobile.io, paybyphone.com), (3) is there a printed short URL next to the QR that matches what the QR resolves to. If any of those fails, use a different meter or pay the operator's app directly by typing the domain.

Related reading

Bottom line: Quishing works because the QR turns a hostile URL into an image, and images move freely past every filter built to read text - past your email gateway, past the printed page, onto parking meters and restaurant tables. Microsoft Defender, Cisco Talos, Proofpoint, FBI, and FTC all flagged the same pattern in 2025-2026 because the bypass rate is real. The fix is the 5-second check: read the URL preview before you tap, and recognize that a sticker on a public surface can be replaced overnight by anyone with a sheet of vinyl. Add a browser-layer scanner like SafeBrowz for the moments when the check slips.