QR codes - dangerous or not?

QR codes have become so woven into everyday life that most people scan them without a second thought; restaurant menus, parking meters, package tracking notices, event check-ins. That familiarity is precisely what makes them attractive to scammers, and Google's Trust and Safety team recently flagged QR code phishing as one of the fastest-growing threats they're tracking.

The attack is known as ‘quishing’, a combination of QR code and phishing. The danger isn't the QR code itself; it's where it quietly sends you.

Why QR Codes Are a Scammer's Dream
When you receive a suspicious link in an email, your email security tools can inspect the destination, recognize a known malicious website, and block it before you ever click.

A QR code is different. To your email's security software, it's simply an image made up of black and white squares. Think of it as a sealed envelope. Your email security can inspect what's written on the outside, but it can't always see what's tucked inside.

Now scammers are using "dynamic" QR codes to thwart new attempts to analyze them. When the email is sent, the code points to a completely harmless web-page to trick security filters into clearing it. Once the email safely lands in your inbox, the criminal flips a switch on the back-end, redirecting that same QR code to a malicious site.

Why Your Phone Changes Everything
Quishing is especially effective because it cleverly shifts the attack from your computer to your mobile phone.

You receive an email on your laptop containing a QR code, so Instead of clicking a link, you're encouraged to scan it with your smartphone. That move instantly strips away your computer's robust security protections and drops you into a mobile browser, where compressed screens make it much harder to spot a fake website.

The destination page often looks identical to a legitimate login page for Google, Microsoft, your bank, or a delivery company. If you enter your username and password, you've handed them directly to the scammer. Some of the more sophisticated attacks can even capture your active login session, allowing criminals to bypass two-factor authentication entirely.

The Physical World Threat: The Restaurant Scam
Why would a cybercriminal bother targeting a local cafe or a busy restaurant patio?

The answer lies in the shift toward "Scan, Order, and Pay" restaurant apps. Scammers aren’t trying to hack the restaurant’s kitchen; they are waiting for you to pay for your dinner. By placing high-quality stickers over existing table codes, or replacing plastic menu stands entirely, thieves intercept the payment process.

When a distracted diner enters their credit card to "start a tab," they are handing their raw card data to a digital skimming portal. The brilliance of the scam is the built-in delay: by the time you realize your food isn't coming and alert a server, the thief is long gone

Your Golden Rule
To stay safe, establish a strict personal safety valve: Never use a QR code to log into an account or enter a credit card number. If a QR code asks for a password or a payment, close the tab.

At restaurants, you always have a low-tech alternative: skip the digital process and order food the old-fashioned way. Ask your server for a physical menu and a paper bill. If a parking meter or shipping utility wants you to take action, bypass the QR code altogether. Open the official app you already have, or manually type the website address yourself.