Bangkok: Quishing is a scam using fake QR codes to trick victims. The convenience of using QR codes has become a double-edged sword, as fraudsters have turned to producing fake QR codes to scam victims, a fraudulent scheme known as Quishing.

According to Thai News Agency, quishing, or QR code phishing, is a scam where criminals trick victims into scanning a QR code they've created. When users, out of habit, inadvertently click on a link within the fake QR code, they risk having their personal information, passwords, or financial details accessed by the criminals. Quishing methods include sending fake QR codes online or printing fake QR codes to cover real QR codes in public places such as billboards, train stations, parking lots, offices, and shopping malls.

A 2025 survey by cybersecurity firm KeepNet Labs found that 26% of crimes related to link sharing were linked via QR codes. Data from cybersecurity company NordVPN reveals that 73% of Americans scan QR codes without verifying their source, and 26 million have inadvertently clicked on quishing links. Gaurav Sharma, a professor in the Department of Electrical and Computer Engineering at the University of Rochester, commented that the increase in quishing victims is due to people becoming more protective of traditional phishing methods. This has led criminals to exploit the convenience of QR codes, which most people scan without being cautious, finding it difficult to detect any irregularities.

Rob Lee, lead researcher at the SANS Institute, believes that QR codes were created without prioritizing security, making them perfect tools for fraud. While not yet widespread enough to be worrying, the low investment and high return on investment have led scammers to increasingly resort to quishing scams. Some organizations are trying to combat QR code forgery by changing the color of QR codes or using company logos in them. However, experts believe this approach may be a double-edged sword, as it can instill too much confidence in security since fraudsters can easily copy company logos to create fake QR codes.

Overconfidence in security is also found among Apple smartphone users. A Malwarebytes survey in early 2025 found that 55% of iPhone users trusted the basic security features of their iPhones, and 70% of them used their smartphones to scan QR codes for online shopping. This compares to Android users who trusted basic security features only 50% of the time and used their smartphones to scan QR codes for online shopping less frequently (63%). This results in iPhone users having a 53% chance of falling victim to scams, compared to 48% of Android users.

In January 2026, a report from the U.S. Federal Bureau of Investigation (FBI) revealed a scheme to steal information from American citizens from abroad through quishing, which had been ongoing since May 2025. It was discovered that the hackers were a group called Kimsuky, supported by the North Korean government. They impersonated foreign policy advisors and sent emails with QR codes linking to fake surveys, hoping to steal personal information from American citizens. The target group for quishing scams is often elderly people who are unfamiliar with cyber threats and online shoppers who use QR codes to track product shipments.

The FBI recommends the following 7 warning signs to watch for when becoming a victim of quishing: be cautious when encountering suspicious QR codes, check the source before scanning, do not log in immediately after scanning the QR code, carefully check the website URLs, use effective antivirus software to combat fake QR codes, use data deletion services to limit the risk, and avoid downloading files from QR codes altogether.