Scams with fake QR codes in public spaces are gaining ground and open a new avenue for the theft of banking data, access credentials, and the installation of malicious files on mobile phones. This technique, known in the field of cybersecurity as quishing, is based on replacing a legitimate code with another manipulated one that redirects to a fraudulent website.
The mechanism is simple and difficult to detect at first glance. Scammers place adhesive labels over real codes at usual points of use and manage to make the victim believe they are entering an official payment or service platform. In reality, they end up handing over their data to attackers or initiating the download of infected content.
Parking meters, menus and charging points among the most exposed supports
Among the places where this practice is being detected are parking meters, digital restaurant menus, and charging totems. They are high-traffic environments, with users who act in a hurry and who often scan without checking the physical support or verifying the real destination of the link.
That is one of the main problems. Unlike a text link, the QR code does not visibly show to which address it leads before opening it. That opacity facilitates deception and gives criminals room to camouflage phishing or identity theft pages.
Furthermore, attackers resort to shortened links to hide suspicious addresses. That system not only makes it difficult for the user to identify an anomalous URL, it also complicates the response of some automatic security filters designed to block pages associated with identity theft.
Risk for bank accounts, mobiles and also work environments
The impact is not limited to account emptying or improper use of cards. After scanning a manipulated QR, the user can be induced to enter banking credentials or to download files with viruses. In more serious scenarios, opening the fraudulent site can activate a silent download of malware capable of tracking the device's activity remotely.
The scope of the problem goes beyond the financial realm. A mobile phone can end up granting access permissions to the camera, microphone, or contact list after interacting with a malicious page. That turns fraud into a gateway for both personal devices and corporate networks if the affected device is linked to the work environment.
How to detect a manipulation before scanning
The first precautionary measure involves physically inspecting the code before using it. A label superimposed over another, a low-quality print, or a poorly placed adhesive are warning signs that may indicate tampering.
It is also advisable to use the phone's native camera application, since in many cases it offers a preview of the link before opening the browser. That step allows reviewing the address and stopping the action if the domain turns out to be strange or does not match the expected service.
The recommendation is clear. Do not make payments or enter sensitive data through QR codes located in highly trafficked and unsupervised public places. If there are doubts about the authenticity, the most prudent thing is to manually type into the browser the official address of the company or service.
Another relevant indication is the immediate request for credentials or passwords after the scan. Legitimate companies rarely ask for that type of information directly immediately after accessing via a QR, so that request should raise alarms.
More technological controls and physical protection
Security platforms are starting to incorporate QR scanners capable of analyzing the reputation of the destination site in real time. It is an additional layer of defense, although it does not replace visual verification or user caution.
In parallel, financial entities and commercial establishments are being guided to implement codes with extra verification systems or protective covers that hinder physical manipulation. The key remains in combining technical measures with basic prevention, because in a gesture as common as scanning to pay or consult a menu, a difficult-to-detect scam can be hidden if the environment and the link it leads to are not checked beforehand.