Quishing, or QR-phishing, is a scheme where scammers create QR codes that hide harmful web links. These QR codes are circulated through channels like email, messages, social media, and even physical flyers for people to scan. Upon scanning, users are redirected to counterfeit websites that may initiate the download of malicious content or request sensitive information, including login credentials or financial details. These QR codes are proven to be effective because they can bypass traditional email security checks, making them harder to detect. 


Common Squishing Modus Operandi

1. Phishing emails that contain fake QR codes

Scammers pretend to be a trusted organization and ask victims to scan the QR code in their email. If scanned, victims will end up being redirected to fake website that looks legitimate. These phishing emails and messages will always create a sense of urgency such as online banking payment did not process, account locked, etc.


2. QR Code for Deals that Too-Good-To-Be-True

Scammer may contact victims offering a limited time “giveaway” by scanning the given QR code. However, you’ll never get what is promised. Scammers may also invite victims to join unrealistic investment and ask to send them money.


3. QR Code Package Scams

Scammers send a package that victims never ordered. On the box, that’s a QR code the victim can scan for more information or returning the item. The QR code will take potential victims to phishing websites that ask for personal information, like credit card number.


4. QR Code Payment Scams

QR codes are used by real businesses for easy payments. Scammers can replace a fake RQ code at the convenience store or restaurant. They can also place QR codes in public areas, for instance, scammers might put signs in parking lots, saying that visitors can pay by scanning a QR code. It might take you to a fake payment site.

Sample of Quishing



Things to keep in mind

  • Check the QR code link. After scanning a QR code, your phone will preview the website link. Make sure it looks legitimate and isn’t a misspelled URL like "celcomdigi.com" instead of "celcomdgi.com."
  • Check the website. Inspect the URL carefully. Look out for spelling mistakes or anything that seems wrong, which could be a sign of a phishing website. Also, look for a lock symbol or "https://" in the website address – these are signs of secure websites.
  • Verify the validity of the sender. If you get a weird email, letter or message with a QR code from a company, call them to make sure it's legit. 
  • Watch for tampering. If you see a QR code in a public place, like a restaurant, make sure there's no sticker on top of it. Scammers might have put it there.
  • Never scan a QR code from an unfamiliar source. Don't scan QR codes from strangers whether you meet them online or in person. Be cautious if someone offers you something too good to be true such as free money or products by scanning their QR code.
  • Do not make rush decisions and refuse pressure to act immediately. Take your time to make an informed decision.

To make a report on this matter, reach out to us by clicking here.

Rest assured that Digi is actively taking measures to ensure our customers do not fall prey to such scams.

We have all the tips you need to keep yourself protected from phishing or scam activities just like this. Find out more here.