What is Quishing? QR Code Phishing Explained — The Ultimate Guide 2026
Quishing is QR code phishing — in 2026 the fastest-growing phishing variant in Europe. How the scam works, how to spot it, and how to protect yourself. With current BSI and police data, 18 documented cases from Germany, and a full FAQ.
Quishing in a nutshell (TL;DR)
Quishing (QR code phishing) is a scam where criminals use malicious QR codes to steal credentials, TANs, payment data or money. In 2026 cases rose by over 600 % worldwide — in Germany especially at parking meters, EV chargers, in fake bank letters, on DHL-style mailbox stickers and windshield flyers. Best defence: scan QR codes only with a URL preview, or use a checker like QRTrust that validates the link against phishing databases before the page opens.
What is Quishing?
Quishing (a portmanteau of „QR code” and „phishing”) is a form of phishing in which criminals use malicious QR codes as the attack vector. Where classic phishing uses email or fake websites, quishing carries the malicious link inside a machine-readable QR code — printed, stuck on, or embedded as an image in an email.
The reason quishing is so dangerous in 2026: QR codes are not human-readable. Nobody can see from the black-and-white matrix where it leads — until the smartphone has already opened the URL. Spam filters and mail gateways can't inspect the code either, because it's an image. Attackers exploit exactly this double blindness.
Definition: Quishing
Quishing is a phishing method where attackers use manipulated or malicious QR codes to lure victims to fake websites, steal personal data, or distribute malware.
How Does a Quishing Attack Work?
A typical quishing attack happens in several steps:
- The attacker creates a malicious QR code leading to a fake website (e.g., a copy of your bank's login page)
- The QR code is distributed through various channels: emails, fake parking tickets, flyers, social media, or even pasted over real QR codes
- The victim scans the QR code with their smartphone without recognizing it's malicious
- The victim lands on the fake website and enters sensitive data (passwords, credit card details, personal information) or unknowingly downloads malware
Real Quishing Examples from Germany
Fake Parking Tickets
Attackers paste QR codes on parking meters leading to fake 'easy park' pages that steal credit card data. The pasted-over codes are often hard to detect.
ADAC Phishing Emails
Emails with ADAC logo and QR codes leading to fake member pages to steal personal data and bank details.
Rheinbahn Deutschland-Ticket Scam
Fake posters in buses and trams with QR codes supposedly leading to free Deutschland-Tickets - in reality to data theft.
Fake Bank Letters
Letters in Commerzbank design with QR codes for alleged photoTAN activation. Goal: steal online banking credentials.
EV Charging Station Scam
Pasted-over QR codes at electric charging stations that lead to phishing websites instead of payment pages.
Fake Parking Fines
Fraudulent parking fines with QR codes leading to fake payment pages.
How to Recognize Quishing?
- • Unexpected QR codes in emails (especially from banks, Microsoft, Google)
- • QR codes on parking tickets or public places that look 'pasted over'
- • Urgent calls to scan ('Your account will be locked', 'Last chance')
- • QR codes from unknown senders on social media
- • URLs after scanning that look suspicious or don't match the expected company
How to Protect Yourself from Quishing?
- Use QRTrust: Our app scans QR codes and checks them in real-time against our local threat database and AI models before you open the URL.
- Use Apps that Display Target URLs: Only scan QR codes with apps that display the target address first before opening the page. This way you can detect suspicious links.
- Pay Close Attention to Punctuation in URLs: Important: 'example.com/123' is legitimate, but 'example.com-123.com' leads to a completely different, potentially fraudulent website!
- Ignore Pasted-Over QR Codes: QR codes on parking meters, charging stations, or public places that look pasted-over should never be scanned.
- Check Letters and Emails Critically: For suspicious letters (e.g., from your bank): Contact the institution via a phone number you researched yourself, not via information in the letter.
- In Case of Fraud: Act Immediately: Contact the police, call your bank, or use the blocking hotline 116 116 if you've become a victim.
Quishing in Enterprises
For businesses, quishing is a particularly large threat. Employees are often the weakest link in the security chain. A single scanned malicious QR code can:
• Compromise company data • Bring ransomware into the network • Steal access credentials for critical systems • Cause compliance violations (GDPR, NIS2)
Conclusion
Quishing is a growing threat that uses QR codes as an attack vector. The invisibility of the destination makes QR codes the perfect tool for cybercriminals.
The best protection is a combination of awareness, healthy skepticism, and technical solutions like QRTrust that check every QR code before opening.
Protect Yourself from Quishing Now
QRTrust checks every QR code in real-time against multiple threat databases and warns you of dangers.
Try QRTrust for FreeSources
This article is partially based on information from Verbraucherzentrale NRW:
Quishing: Fake QR Codes in Emails, Letters, Public Transport and Road Traffic →Quishing statistics 2026 — Germany in the crosshairs
Quishing is the fastest-growing phishing variant in 2026. Current numbers from the BSI threat report, police statistics and industry reports (as of Q1 2026):
more quishing attempts worldwide (Q1 2026 vs. Q1 2025, Keepnet)
detected quishing attacks in Q1 2026 alone (FBI / industry data)
of all phishing payloads contain a QR code in 2026 (2021: 0.8 %)
average loss per quishing incident in enterprises (Keepnet 2026)
of smartphone users scan QR codes without URL verification
documented quishing waves in German cities since mid-2025
Quishing vs. phishing, smishing & vishing — the difference
The phishing family has four main variants. They differ only in the channel — the goal is always the same: steal data or money.
| Variant | Channel | Typical example 2026 | How hard to spot? |
|---|---|---|---|
| Phishing | Fake bank email with login link | Medium — spam filters help | |
| Smishing | SMS / messenger | DHL SMS with tracking link | High — barely any mobile filters |
| Vishing | Phone / VoIP | Call from „Microsoft support” | High — no technical filter |
| Quishing | QR code (print/digital) | Sticker on a parking meter or bank letter | Very high — URL is invisible |
Quishing waves in Germany: real cases 2025–2026
Quishing is not a theoretical risk. These are cases we have documented — each entry is a full report with sources, police/BSI references and protection advice:
Berlin: Tagesschau/rbb wave (May 2026)
Quishing stickers on parking meters and EV chargers across Berlin — hundreds affected.
Poland: windshield flyers with QR code (April 2026)
Fake KAS „parking fines” left on car windshields — cold-channel quishing from across the border.
Schwabenheim: EV charging station quishing (March 2026)
Stickers over the original QR codes redirected EV drivers to fake payment pages.
Tauberbischofsheim: fake bank letters (March 2026)
VR Bank, ING-DiBa, ApoBank: Heilbronn police warn about quishing by post.
DKB scam letters with QR codes (February 2026)
Deceptively real DKB letters demanding „TAN activation” via QR code.
WhatsApp Ghost Pairing (January 2026)
BSI warning: QR-code pairing in WhatsApp Web is abused for account takeover.
DHL quishing on mailboxes (December 2025)
Sticker labels on mailboxes mimic parcel delivery notes and steal address and payment data.
DEW21 charging stations Dortmund (December 2025)
Quishing stickers on chargers operated by Dortmund's utility DEW21 — we warned first.
Dortmund quishing wave (November 2025)
Parking meters and EV chargers across the entire city — coordinated wave.
Deutsche Bank QR code warning (October 2025)
Deutsche Bank actively warns about letter-based quishing claiming TAN updates.
Frequently asked questions about quishing (FAQ)
What does quishing mean?+
Quishing is a portmanteau of „QR code” and „phishing”. It describes phishing attacks where criminals use malicious QR codes to lure victims to fake websites, steal credentials or TANs, or distribute malware.
How dangerous is quishing in 2026?+
Very. In Q1 2026 quishing attempts rose by more than 600 % worldwide. Police and BSI have documented dozens of waves in Germany — from Berlin via Dortmund to Tauberbischofsheim. In the enterprise the average loss per incident exceeds one million euros.
How do I recognise a quishing attack?+
Typical warning signs: a QR code where there was none before (pasted over); an unexpected letter with a QR code from a bank, authority or insurer; pressure to act („act immediately”) after scanning; and URLs that don't match the expected provider (typo domains, foreign top-level domains, raw IP addresses).
What is the difference between phishing and quishing?+
Phishing uses classic channels such as email or fake websites. Quishing carries the phishing link inside a QR code. The key difference: spam filters and mail gateways can't inspect the code (it's an image), and humans can't see the destination URL before scanning either.
Are QR codes inherently insecure?+
No. QR codes themselves are a safe technology. The risk arises when nobody verifies the URL before opening the page. With a checker like QRTrust that validates the link against current phishing databases (PhishTank, Google Safe Browsing) and AI models, QR codes are safe to use again.
How exactly do I protect myself against quishing?+
Six measures: 1) Use a scanner app with URL preview — never auto-open. 2) Watch for typo domains (e.g. „spark-asse.de” instead of „sparkasse.de”). 3) Ignore QR codes from banks or authorities — they communicate via other channels. 4) Never scan pasted-over QR codes. 5) For letter quishing, contact the institution via an officially researched number. 6) Use a specialised app like QRTrust.
I scanned a suspicious QR code — what do I do?+
Don't panic. As long as you didn't enter any data, the risk is low. If you did: change affected passwords immediately, block your online banking via the German blocking hotline 116 116, call your bank via the official service number and file a police report. Document the incident with screenshots.
Where do I report quishing attacks?+
In Germany: to the Verbraucherzentrale (consumer association), the police (online reporting site of the relevant state), the BSI (via the BSI reporting office or the Alliance for Cybersecurity), and for bank quishing directly to the affected bank (e.g. phishing@deutsche-bank.de). QRTrust also accepts reports and feeds them into our threat database.
Is there enterprise quishing protection?+
Yes. An enterprise should combine three layers: 1) Awareness training (quishing/phishing simulations). 2) Technical QR-code checking — e.g. QRTrust Enterprise on company smartphones and in mail gateways. 3) An incident report template for NIS-2-compliant reports to the BSI. We offer an integrated package for authorities and critical-infrastructure operators.
Which QR codes are forged most often in 2026?+
Top lures in Germany: 1) Parking meters („Easy Park” clones). 2) EV charging stations (payment pages). 3) Bank letters (TAN / photoTAN updates). 4) DHL and parcel-service stickers. 5) Fake parking fines on car windshields. 6) Restaurant menus. 7) WhatsApp Web pairing (Ghost Pairing).
Is quishing a crime?+
Yes. In Germany quishing is criminal under §263 StGB (fraud), §202a StGB (data espionage) and §263a StGB (computer fraud) — depending on the offence with up to five years in prison. Distributing fake QR codes also triggers §269 StGB (forgery of data) and §202c StGB (preparation of espionage).
What does QRTrust do against quishing?+
QRTrust scans every QR code and checks the destination URL in real time against PhishTank (1 M+ phishing URLs), Google Safe Browsing, our own AI-based classifier and a URL redirect resolver. Suspicious sites are blocked before they open. The app is GDPR-compliant, runs on EU servers and is free for private users.