Ever heard of 'quishing'? NordVPN warns the future of scams lies in QR codes – and shares some tips on how to stay safe

News
By published

The VPN provider keeps making its Threat Protection Pro better to fight these threats

Hacker raise hands up to control computer coding, 3D rendering.
(Image credit: Shutterstock)
  • QR codes are the new creative gateway for cybercriminals
  • 26 million may have already been at risk of falling victim
  • Tips for staying safe include keeping your phone up to date

Have you scanned a QR (Quick Response) code recently? Then maybe take a second look at that black-and-white pixel matrix, as there is a significant chance you may have already unwittingly been lured into a QR code or 'quishing' scam, NordVPN warns.

QR codes are everywhere. Since their debut over 20 years ago, a growing number of services – such as paying for parking, collecting parcels, booking concert tickets, or ordering a pizza – have increasingly relied on these versatile 2D barcodes.

Cybercriminals have also recognised their potential, increasingly employing so-called 'quishing' as a method for financial fraud and data theft. Alarming data from TechRadar's best-rated VPN suggests that many of us may already have fallen victim. In fact, as many as 26 million people could have been lured into a phishing scam by clicking a malicious QR code.

It’s a trap!

Over the years, retailers, financial institutions, and marketers have replaced traditional barcodes with QR codes, with the benefit that they can store large amounts of data and instantly link users to websites, apps, or digital content when scanned with a smartphone.

Fraudsters, however, have also integrated them into both physical and digital scams, boosted by AI to make these attacks faster and more effective.

Marijus Briedis, CTO at NordVPN, explains: "Unlike traditional phishing emails, where people have learned to spot the warning signs, a physical QR code seems inherently trustworthy."

As a result, scammers have been increasingly exploiting a malicious e-commerce technique called 'brushing.' This involves sending unexpected parcels with cryptic notes encouraging recipients to scan a QR code to learn more, only to be redirected to phishing websites.

Unlike traditional phishing emails, a physical QR code seems inherently trustworthy

Marijus Briedis, NordVPN's CTO

NordVPN warns that real-life examples include Amazon appearing to have sent packages that were never ordered, with a QR message encouraging recipients to claim nonexistent rewards as part of larger scam operations.

Earlier quishing scams also involved fake payment QR codes placed in car parks, where victims ended up inadvertently sending money to criminals.

A particularly emotionally manipulative scam tricks victims into scanning QR codes by persuading them that it will provide proof that their partner is cheating on them.

Because QR codes are so versatile for creative scam tactics, their use in fraud has skyrocketed. According to reports from cybersecurity experts at KepNet, 26% of all malicious links are now embedded in QR codes.

NordVPN has been at the forefront of the fight against scams, strengthening its Threat Protection Pro features – including email protection that scans links for phishing threats, as scam blocking remains its top priority for 2026. Last week, the VPN provider blocked 92% of malicious websites in testing conducted by AV-Comparatives.

How to stay safe?

While essential for protecting your data, a virtual private network (VPN) will not prevent you from scanning for malicious code yourself. Although studies show that Britons are actually quite good at spotting phishing scams, NordVPN urges us to remain vigilant by following some easy preventive steps.

Briedis’ advice is clear: "Treat every unexpected QR code with the same suspicion you would treat a link from an unknown sender in your inbox."

Before scanning a QR code, make sure you know who sent it and verify that the company requesting the scan is trustworthy.

Since most smartphones allow you to preview links, check whether the URL looks unusual or suspicious.

Keep your security measures active, including VPN protection, and be wary of QR codes found in unusual ways or locations.

And if this is old news to you, be sure to share it with someone who isn’t aware: after all, a user per day might just keep those scammers at bay.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

TOPICS
Silvia Iacovcich
Silvia Iacovcich
Contributing Writer

Silvia Iacovcich is a tech journalist with over five years of experience in the field, including AI, cybersecurity, and fintech. She has written for various publications focusing on the evolving regulatory landscape of AI, digital behavior, web3, and blockchain, as well as social media privacy and security regulations.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.