Quishing on the Rise: QR Code Scams Target Restaurant Menus and Other Touchpoints

Quishing, a fusion of QR and phishing, is drawing renewed attention from security professionals as authorities warn that scammers are increasingly exploiting smartphone users through Quick Response codes. When scanned, nefarious QR codes can direct users to sites that harvest personal information, install malware, or prompt data theft. The codes have become ubiquitous in daily life, appearing on restaurant menus and payment prompts, at hotel and doctor’s office check-ins, and even on parking meters. They are also used to track package shipments and check order status online, making the attack surface broader than just physical venues.

Attackers can replace legitimate QR codes with their own by printing a counterfeit version and placing it over or beside the real code, a technique that can be nearly undetectable to the average user, according to Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant. "What’s especially concerning is that legitimate flyers, posters, billboards, or official documents can be easily compromised," Brewer told CNBC. "Attackers can simply print their own QR code and paste it physically or digitally over a genuine one, making it nearly impossible for the average user to detect the deception."

QR codes are not confined to physical locations. They also appear in virtual spaces, including checks of online shipments and other digital processes that rely on codes for status updates. IBM has noted that older individuals who are more susceptible to traditional phishing scams may be at increased risk with quishing, though digitally savvy Millennials and Zoomers are not immune given their frequent use of QR codes. An IBM memo cautions, "Don’t let added convenience lower your guard." IBM officials urge users to be wary of unsolicited QR requests and to look for physical signs of tampering when scanning in public places. They also advise that scanning should be limited to codes from trusted sources rather than those found in random flyers or posters.

"QR codes weren’t built with security in mind; they were built to make life easier, which also makes them perfect for scammers," Rob Lee, chief of research, AI, and emerging threats at the SANS Institute, told CNBC. "We’ve seen this playbook before with phishing emails; now it just comes with a smiley pixelated square. It’s not panic-worthy yet, but it’s exactly the kind of low-effort, high-return tactic attackers love to scale."

The Federal Trade Commission has reported a rise in quishing scams, prompting calls for greater vigilance among everyday users. As QR codes become more prevalent in retail and services, experts say the key to reducing risk lies in simple, practical precautions: inspect codes for signs of tampering, avoid scanning codes from unsolicited sources, and use apps that offer a URL preview before opening any destination. In public settings, such as menus or posters, consumers should be mindful of any code that looks out of place or has been pasted over another.

To help readers understand the risk, several real-world cues can guide safer behavior. If a QR code appears in a public place, check whether it seems physically altered or placed over a legitimate code. If a code appears suspicious or comes from an untrusted source, refrain from scanning and seek an alternate official method to access the information or service. When possible, use a dedicated app that previews the link before opening it, and consider using the device’s built-in camera scanning feature rather than a third-party scanner that might automatically open a link. These steps can reduce exposure to quishing without sacrificing the convenience that QR codes provide in everyday life.

As the technology—and the schemes—evolve, the balance between convenience and security remains central. While quishing does not signal an imminent collapse of trust in QR codes, it underscores the need for ongoing user education, robust code-generation safeguards, and continued vigilance by both consumers and the institutions that deploy these codes. Authorities and cybersecurity firms say that awareness, coupled with practical precautions, can help curb the impact of these attacks while preserving the efficiency that QR codes offer in everyday transactions and experiences.