QR コードフィッシングの脅威 - 読み取る前に確認すべきこと

About 13 min read

QR codes are now used in virtually every aspect of daily life - restaurant menus, event tickets, payments, and Wi-Fi connections. The convenience of simply pointing your smartphone camera is appealing, but attackers are increasingly exploiting this ease of use. "Quishing" (QR code phishing) is a technique that directs users to malicious sites through fake QR codes, stealing credentials and personal information. This article explains the specific tactics of quishing, where fake QR codes are placed, and how to safely verify QR codes before scanning them.

How Quishing Works

Overlaying Legitimate QR Codes

The most common quishing technique involves placing a sticker with a fake QR code over a legitimate one. Parking meters, restaurant tables, and public facility information boards are targeted - places where people scan without suspicion. Attackers create realistic-looking stickers and simply paste them over the original QR code. Because this is a physical tampering method, digital security tools cannot detect it.

When victims scan the fake QR code, they are directed to a phishing site that closely resembles the legitimate service. If they enter login credentials or credit card numbers there, the information goes straight to the attacker. Unlike traditional phishing emails, QR codes make it difficult to visually verify the URL before visiting, making it harder for users to notice something suspicious.

Embedding in Emails and Documents

Another major technique involves embedding QR codes in phishing emails or printed materials. Messages like "Please scan the following QR code for a security update" or "Scan here to check your delivery status" prompt users to scan. While email security filters can inspect URL links, they often cannot detect URLs embedded within QR code images, giving attackers an advantage.

Where Fake QR Codes Are Placed

Examples in Public Spaces

Attackers prefer high-traffic locations. Parking meters are particularly common targets because users are often in a hurry and skip verification. Restaurant and cafe table QR codes for menus are also targeted. Since the pandemic normalized contactless menus, people have become less cautious about scanning QR codes, increasing attack success rates.

Public transit timetables, tourist information boards, bike-sharing stations, and EV charging spots are also targeted. At these locations, users believe scanning the QR code is "necessary" to use the service, creating a situation where they are unlikely to question even a fake code. Attackers skillfully exploit this trust relationship.

Distribution in Digital Spaces

Fake QR codes circulate not only in physical locations but also in social media posts, messaging apps, and online advertisements. They come with messages like "exclusive coupon," "you have won a prize," or "account verification required." On social media in particular, trusted friends' accounts may be hijacked to spread fake QR codes, and sophisticated attacks combining social engineering are increasing.

How to Safely Scan QR Codes

Physical Verification Before Scanning

Before scanning a QR code, first check its physical condition. Look for stickers placed on top, peeling edges, or differences in texture from the surrounding material. Legitimate QR codes are usually printed directly on signs or posters. Stickers placed on top likely indicate tampering and should not be scanned.

If something feels suspicious, asking staff is the most reliable approach. Simply asking "Is this QR code legitimate?" can prevent potential damage. For payment-related QR codes in particular, accessing through the official app directly is safer.

How to Check URL Previews

Most smartphone camera apps display a URL preview when scanning a QR code. Use this feature and always verify the URL before opening the link. Check whether it is a legitimate domain, whether there are spelling errors, and whether suspicious subdomains are included. For example, "paypa1.com" (number 1 instead of letter l) or "amazon-security-verify.com" are typical fake domains.

Be especially cautious with shortened URLs (bit.ly, t.co, etc.). Shortened URLs can hide the final destination, making them easy for attackers to abuse. If possible, use a URL expansion service to check the actual destination, or avoid scanning altogether and access the official site directly. For more on phishing tactics in general, see our comprehensive phishing protection guide.

Defensive Measures for Organizations and Individuals

Habits Individuals Should Practice

To protect yourself from QR code phishing, develop several key habits. First, if you are asked to enter login credentials or personal information after scanning a QR code, pause and think. For legitimate services, you can ensure safety by accessing through the official app or bookmarks instead. Additionally, enabling two-factor authentication prevents unauthorized access even if your password is compromised.

Using a password manager is also an effective countermeasure. Password managers strictly check domains, so autofill will not work on phishing sites. If you notice autofill is not functioning, that is an important signal that you may be on a fake site. For more on smartphone security in general, <AmazonLink keyword="スマホ セキュリティ" locale={locale} className="amazon-inline-link">smartphone security books (Amazon)</AmazonLink> are also helpful references.

Organizational Countermeasures

Organizations that use QR codes in their operations should establish a system for regularly checking whether their QR codes have been tampered with. Additionally, displaying the legitimate URL alongside the QR code gives users the option to access manually. For employees, conduct security training that includes quishing tactics and establish a system for reporting suspicious QR codes.