QR Code Phishing Goes Public

QR Code Phishing Goes Public: The Alarming Rise of “Quishing” and What It Means for Your Business

A disturbing new trend in cybercrime has emerged, highlighting the ever-evolving tactics of threat actors. This week, cybersecurity professionals discovered QR codes taped to public lampposts, accompanied by handwritten notes designed to trigger emotional responses. One such note read:
“John, I know you are cheating on me. Here’s the proof—it would be worthwhile for everyone to see.”

At first glance, it might seem like a personal message. In reality, it’s a sophisticated quishing campaign—QR code phishing—leveraging social engineering in public spaces. This marks a disturbing advancement in phishing tactics, moving from email inboxes to real-world locations to exploit human psychology.

What Is Quishing?

Quishing involves using QR codes to lure individuals into scanning malicious links. Once scanned, users are directed to phishing websites designed to harvest login credentials, financial information, or install malware. What makes quishing especially dangerous is its ability to bypass traditional cybersecurity filters. A printed QR code on a lamppost or flyer doesn’t trigger firewalls, antivirus software, or email security tools.

The Data Behind the Threat

The prevalence of QR code phishing is growing rapidly. According to Action Fraud, reports of QR code scams have increased fourteen-fold, from 100 in 2019 to 1,386 in 2024. Hoxhunt reports that 22% of all phishing attacks now involve QR codes. Even more concerning, only 36% of employees can successfully identify and report a simulated QR code phishing attack.

These statistics highlight a serious gap in cybersecurity awareness—one that attackers are actively exploiting.

Emotional Engineering at Its Worst

What makes incidents like the lamppost campaign particularly insidious is the emotional manipulation involved. By preying on feelings like jealousy, betrayal, or curiosity, attackers dramatically increase the likelihood that someone will scan the code without thinking twice. This type of psychological ploy mirrors the tactics used in digital phishing but is amplified by the physical, seemingly personal nature of the message.

Katherine Hart of the Chartered Trading Standards Institute warns:

“We’ve seen huge amounts lost this way. People have seen their life savings gone, and that money is going to finance criminals.”

A Shift in Criminal Strategy

Cybercrime syndicates are increasingly turning to quishing as part of their operations. Experts suggest this evolution reflects a more organized, hierarchical structure within cybercrime groups. Some individuals involved may simply be tasked with placing QR codes in public areas—unaware they’re contributing to a broader criminal enterprise.

According to recent industry research, quishing attacks have risen 25% year-over-year in 2025, now accounting for 1 in every 8 credential-harvesting campaigns. This shift represents a growing threat that extends beyond corporate IT systems and into everyday environments.

Conclusion: It’s Time to Rethink Cybersecurity Awareness

The message is clear: Cybersecurity is no longer confined to the digital realm. Threats like quishing blend the physical and digital in ways that make them harder to detect and easier to fall for. Businesses must prioritize security awareness—not just for emails and websites, but for all the ways people interact with technology in their daily lives.

At Verenity, we understand the evolving cybersecurity landscape and the new tactics bad actors are using to exploit vulnerabilities. If your organization hasn’t yet addressed the growing threat of QR code phishing or needs guidance on strengthening your cybersecurity posture, we’re here to help.

👉 Schedule a call with us today to discuss how Verenity can help protect your business with robust, modern cybersecurity solutions.