QR PHISHING

Swish and BankID QR phishing scam in Sweden: why a QR code should never sign you in

A text or QR code pretending to be Blocket, PostNord, or Swish leads to a phishing page that triggers a real BankID signing. This is social engineering, not a hack, and it is rising fast in 2026.

SB

SafeBrowz Threat Research Security ResearchJune 18, 20268 min read

What the Swish and BankID QR scam is, and why it is spreading in 2026

Sweden runs more of daily life through two apps than almost any country on earth. BankID is the national electronic identity: it is how Swedes log in to their bank, sign a contract, file taxes, and prove who they are online. Swish is the instant mobile payment app that nearly every adult uses to split a bill, pay a market stall, or send money to a friend in seconds. Because both are trusted absolutely, they are exactly what a scammer wants you to open on their behalf.

The attack does not break BankID or Swish. There is no technical breach. It is pure social engineering. A message or a QR code, dressed up as Blocket (Sweden's biggest online classifieds marketplace) or PostNord (the national postal and parcel service) or Swish itself, leads you to a convincing phishing page. The page then asks you to authenticate. When you open BankID and sign, you are not "confirming" anything harmless. You are authorising the scammer to log in to your bank or to approve a payment they have queued. The signature you give on their page does real work for them.

This is not a rare edge case. According to Swedish fraud-prevention figures tracked by sakerhetskollen.se and reported by idskydd.ai, Swish-related fraud rose by more than 30 percent through 2025 and has kept climbing into 2026. Both Swish and BankID have re-issued public warnings telling people that they will never ask you to sign in order to receive money or to "verify" yourself for a stranger. When the two institutions behind the rails feel the need to repeat the warning, the wave is real.

How the scam plays out, step by step

The exact story changes, but the machinery is consistent. Here is the most common version, the fake Blocket buyer.

• You list an item for sale on Blocket. A "buyer" messages you quickly, friendly and eager, and says they will pay through Swish or a Blocket payment feature.
• They send you a link or a QR code and say you need to "confirm you are the seller" or "log in to receive the Swish payment" before the money can be released.
• The link opens a page that looks like Blocket, Swish, or a bank. It asks you to identify yourself with BankID, or it shows a QR code for you to scan with the BankID app.
• The moment you open BankID and sign, you are not receiving anything. You are logging the scammer into your bank, or approving a Swish payment that sends your money to them.

The PostNord variant uses a different hook with the same ending: a text says a parcel is held and you must pay a small customs or redelivery fee, with a link to a payment page that ends in a BankID signing. The Swish-direct variant simply tells you there is "a problem with your Swish" or "a payment waiting to be claimed" and asks you to sign in to fix it. In every case the payoff is the same: a BankID signature you give on a page you did not navigate to yourself.

What the scam links look like (illustrative)

The phishing page almost never lives on a real Blocket, Swish, or bank domain. It lives on a cheap or free hosting platform with the brand name jammed into the address so it reads as official on a small phone screen. The examples below are illustrative lookalikes. Tap any of them to run it through the live checker:

• swish-verifiera.vercel.app
• blocket-betalning.pages.dev
• bankid-secure.netlify.app

The trick is that the brand name appears somewhere in the string, but never as the real registrable domain. The genuine Swish site is swish.nu and the genuine BankID site is bankid.com. A free-hosting subdomain like swish-verifiera.vercel.app is not Swish, no matter what the page shows you, because anyone can publish anything under vercel.app, pages.dev, or netlify.app. A QR code makes this worse, not better: a QR code is just a link your eyes cannot read, which is precisely why scammers print one instead of a visible address.

The one rule that defeats this scam

You do not need to learn every variant. There is a single rule that holds across all of them, and it is worth memorising:

A QR code or a link should never trigger a BankID signature to "verify," to "log in for a buyer," or to "receive a Swish payment." You only ever open BankID or Swish yourself, from the real app, for an action you started.

This works because of what a BankID signature actually means. Signing with BankID authorises something specific: a login, a contract, a payment. It is your legal yes. So if anyone else hands you a reason to sign, they are handing you a reason to authorise their action. The honest cases all flow the other way: you decide to log in to your bank, so you open the bank app and start it; you decide to pay a merchant, so you open Swish and enter the amount yourself. Receiving money through Swish is the clearest test of all, because it needs no signature whatsoever. If a "buyer" or a "refund" asks you to sign to receive, the request is impossible by design, which means it is a scam.

Red flags that give it away every time

Beyond the core rule, these tells appear again and again.

• You are asked to sign to receive money. Receiving a Swish payment never requires a BankID signature. This single fact ends most of these scams on the spot.
• A buyer pushes you off Blocket fast. "Let us finish on Swish," "I will send a payment link," "scan this to confirm." A genuine buyer has no reason to move you to an external page.
• The link is on free hosting, not the real domain. Real Swish is swish.nu, real BankID is bankid.com, and real Blocket is on blocket.se. Anything on vercel.app, pages.dev, netlify.app, or a random cheap domain is not them.
• Urgency and a small fee. "Pay 19 kr to release your parcel," "confirm within 10 minutes or the payment is cancelled." Pressure is the lever that stops you checking.
• A QR code instead of a readable address. If the only way to proceed is to scan a code you cannot read, treat it as hostile until proven otherwise.
• The BankID prompt does not match what you expected. If you opened a page to "receive" something but BankID asks you to authorise a payment or a login, stop. Read the text in the BankID app itself, never the web page.

What SafeBrowz sees on the network

When the SafeBrowz engine inspects one of these Swedish phishing pages, the structure is consistent enough to read across all three detection layers. A few patterns stand out.

First, the host is almost always free or throwaway. The destination behind a Swish or Blocket smishing message tends to sit on a free-hosting platform or a domain registered within the last few days. No real bank or national payment service is days old, and none of them publishes a login page on a subdomain that anyone can claim.

Second, the page is a brand sandwich on the wrong domain. The address carries "swish," "bankid," "blocket," or "postnord" plus a Swedish transactional word ("verifiera," "betalning," "logga in"), then resolves somewhere that the real brand never uses. The brand name living anywhere except the genuine registrable domain is itself the signal.

Third, the content gives itself away. A Swish or BankID logo, a "log in to receive your payment" headline, and an embedded BankID launch button or QR code, all served from a non-official host, is a textbook impersonation profile. Content-level analysis flags the impersonation even when the page is brand new and missing from every blocklist.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1, Local detection: 60+ URL patterns plus 550+ brand-specific signatures (including homograph and lookalike variants) plus community whitelist and blacklist, all running in the extension before the page renders. It catches brand-impersonation keyword patterns on free-hosting and cheap-TLD hosts instantly.
• Layer 2, API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, and ScamAdviser, plus domain-age lookup (most of these destinations are days old) and 30+ scam TLDs.
• Layer 3, AI deep scan: content-aware brand-impersonation analysis in 100+ languages catches a brand-new Swedish lookalike that no blocklist has seen yet, including pages that hide a BankID launch behind a QR code.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any Blocket, PostNord, or Swish link and get a verdict in seconds.

What to do right now

If a suspicious Swish, Blocket, or PostNord message just landed, here is the whole correct response.

1. Do not scan the QR code or tap the link. The link is the entire attack surface.
2. Never sign with BankID for a buyer, a refund, or a "verify." If you did not start the action yourself in the real app, do not sign. Read the BankID prompt text inside the app, and cancel if it does not match what you intended.
3. Verify in the real app. Open the official Blocket, Swish, or PostNord app yourself and check there. Receiving Swish money needs no signature, so if a "payment" requires one, it is fake.
4. Check the link first if unsure. Paste it into the SafeBrowz URL checker before you act on it.
5. Then block and delete. Block the sender and remove the message.

If you already signed with BankID on a fake page or sent a Swish payment, act fast. Call your bank immediately using the number on the back of your card or the official app, and tell them you signed on a phishing page so they can lock access. Report the fraud to the Swedish police at polisen.se, and contact BankID support through the genuine bankid.com site. Our full "I got scammed, what to do now" walkthrough covers the first-hour playbook in detail.

How this fits the wider QR phishing wave

If this feels familiar, it is because the same trick is spreading worldwide under the name "quishing," QR-code phishing. The QR code is attractive to scammers for one reason: it hides the destination from the human eye while looking modern and trustworthy. Sweden's version is sharper than most because the payoff is a BankID signature, a single tap that carries legal weight. For the global picture of how QR-code scams work and how to check a code before you scan it, see our guides on quishing, the QR-code phishing scam and how to tell if a website is a scam.

The defence does not change from brand to brand or country to country. The message can wear any logo. The structure of the attack, a link or QR code that ends in an authentication you did not start, does not change. That is why a structural rule beats trying to memorise every new disguise.

Frequently asked questions

Is the Swish or BankID QR code that asks me to verify a scam?

Yes. A QR code or link that asks you to open BankID to "verify your identity," "log in to confirm you are the buyer," or "receive a Swish payment" is a scam. A BankID signature authorises an action, so signing on someone else's page hands them access to your bank or approves a payment. You only ever start BankID or Swish yourself, in the real app, for something you intended to do.

Do I need to sign with BankID to receive a Swish payment?

No, never. Receiving money through Swish requires no BankID signature at all. If a buyer, a "refund," or a payment page tells you to sign in order to receive money, the request is impossible by design and is a scam. You sign only when you are sending money or logging in yourself.

What is BankID and what does signing with it actually do?

BankID is Sweden's national electronic identity, used to log in to your bank, sign contracts, and prove who you are online. A BankID signature is your legal yes to a specific action, such as a login or a payment. That is why signing on a scammer's page is dangerous: it authorises whatever they have set up, not a harmless "verification."

A Blocket buyer sent me a link to confirm the payment. Is it safe?

Treat it as a scam. A genuine Blocket buyer has no reason to move you to an external page or QR code, and Swish does not need you to "confirm" yourself to receive money. Keep the conversation inside the official Blocket app and never sign with BankID for a buyer.

What do the real Swish and BankID websites look like?

The genuine Swish website is swish.nu and the genuine BankID website is bankid.com. Real Blocket lives on blocket.se. Any page on a free-hosting subdomain such as vercel.app, pages.dev, or netlify.app, or a random cheap domain with the brand name in it, is not the real service even if the logo looks perfect.

I scanned the QR code and signed with BankID. What now?

Act immediately. Call your bank using the official number and say you signed on a phishing page so they can lock your access, then change your bank credentials. Report the fraud to the Swedish police at polisen.se and contact BankID support through the genuine bankid.com site. Watch your accounts closely for unauthorised Swish payments.

How do I report a Swish or BankID phishing scam in Sweden?

Report it to the Swedish police (Polisen) at polisen.se, contact your bank's fraud line, and reach BankID support through bankid.com. You can also use the fraud-awareness resources at sakerhetskollen.se to check a suspicious message before you act on it.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge