Quishing: scams with QR codes and links in text messages
Quishing hides fraud inside a QR code you scan with confidence. We explain how it works and how not to fall for it.

You get a text from the postal service: "Your parcel is on hold, scan the QR code to arrange delivery." Or a traffic fine with a printed code. You scan it, follow the link and hand over your details. That is quishing: fraud tucked inside a QR code. The little square doesn't look dangerous, and that is exactly the trap.
What exactly is quishing and how does it differ from smishing?
The word "quishing" comes from combining "QR" and "phishing". It is a variant of the classic scam, but it changes the piece that fools you. In traditional smishing you receive a text link that you can read: correos-entrega-pago.net. Even if it is disguised, you have something to examine before tapping.
Quishing erases that clue. A QR code is a pattern of squares your eye cannot decipher. You don't see the address it points to until you have already opened it. The scammer hides the destination inside the image and asks you to trust what surrounds it: a company logo, the format of an official letter, the urgency of a message.
That is the heart of the new angle. The vector isn't purely digital. A fraudulent QR can reach you by text, yes, but also stuck on a lamppost, printed on a fake fine under your windscreen wiper, slapped over a real parking meter, or inside a letter in your postbox. The physical medium adds a layer of credibility that a stray text message lacks. Few people are suspicious of a piece of paper with a letterhead.
Once you scan it, the flow is the same as in any phishing: it takes you to a cloned website that imitates your bank, the postal service, the traffic authority or the tax office, and asks you for personal or banking details, or to "verify" your identity. In some cases the link tries to download a malicious app onto your phone.
Why are scammers now turning to QR codes?
Because the QR code solves two problems the criminal has. If you are interested in the bigger picture, we cover it in our analysis of spam trends in Spain.
The first problem is learned distrust. People have heard "don't tap odd links in text messages" a thousand times. A QR code doesn't look like a link. It looks like a modern, neutral tool, the same one you use to pay or view a restaurant menu. That familiarity lowers your guard.
The second problem is automatic filters. Many anti-spam systems used by carriers and email providers scan the text of a message for suspicious domains. A QR code is an image. The malicious link travels hidden inside a graphic and many filters don't read it. This becomes even more relevant with the new CNMC regulation that, from 7 June 2026, will require alphanumeric SMS and RCS sender names to be registered, making text-based impersonation harder. When one door closes, scammers look for another, and the QR code is one of those doors.
What's more, the QR code works anywhere at no cost. Printing a sticker is cheap. Sticking it over a legitimate QR on a parking meter or a poster raises no immediate suspicion. The criminal doesn't need your number or to break any filter: all it takes is for you to walk past.
Where might you come across a fraudulent QR code?
Not all malicious QR codes arrive the same way. Knowing the channel helps you calibrate your suspicion. This table sums up the most common scenarios and the warning sign for each one.
| QR channel | How it appears | Warning sign |
|---|---|---|
| SMS / messaging | "Parcel on hold", "verify your account", pending fine | They rush you and the QR replaces a text link |
| Letter in the postbox | Letterhead of a bank, the tax office, traffic authority or an energy company | They ask you to scan to "avoid a penalty" or collect something |
| Fine under the windscreen wiper | Official-looking paper and a QR to "pay the fine" | Traffic and local authorities don't collect fines via a QR on the windscreen |
| Sticker in a public space | Over a real parking meter, poster or menu | The QR is stuck over another one or clashes with the medium |
| Invoice, parcel or notice with the QR as an image | The QR stops the filter from reading the malicious link |
The case of the fake fine under the windscreen wiper is the most confusing one, because it blends a credible physical medium with the implicit authority of a penalty. Remember: neither the traffic authority nor local councils collect fines by scanning a code stuck on your car. If you want to learn how to verify official notices, we explain it in how to check a notice from the tax office or Social Security.
How to scan a QR code without falling for the trap?
The golden rule is simple: a QR code is just a way to open a link, so treat it with the same distrust as any link you weren't expecting. The medium changes, the danger doesn't.
Follow these steps before acting on any QR code you didn't request yourself:
- Preview the address before opening it. Most phone cameras show the full URL before loading the page. Read it carefully. Don't tap yet.
- Check the domain closely. Look at the part just before the first
/.correos.es/avisois legitimate;correos.entrega-es.comorcorreos-pago.netare not, even if they start with "correos". Scammers play with subdomains and hyphens to confuse you. - Be wary of shorteners. If the link is a
bit.lyor similar, you don't know where it points. An official body doesn't hide its address behind a shortener. - Don't enter sensitive details. No website you reach through an unsolicited QR code should ask you for banking passwords, your PIN, verification codes or your full card number.
- Don't install anything. If scanning the QR offers to download an app from outside the official store, close it. That is an almost certain sign of fraud.
- Verify through the official channel. Unsure about a parcel, a fine or a notice from your bank? Go to the official website yourself by typing the address, or use the app you already have installed. Never use the QR code you were sent.
This principle of "verify on your own, not through the channel that contacted you" is the same one we apply to check whether a call or text from your bank is real. The technology changes, but the defence is identical.
What makes a fraudulent QR code so effective?
There is a psychological detail worth understanding. When you scan a QR code, you make a leap of trust you wouldn't make with a text link. With text, you read and judge. With a QR code, you point the camera and let the phone decide for you. That automatic gesture is exactly what the scammer exploits.
On top of that comes context. An isolated QR code inspires less trust than one framed within something you recognise: the format of a fine, your bank's colours, a courier company's logo. The criminal invests in making that wrapping look real, because they know the QR only works if the rest convinces you.
And then there is urgency, the ever-present ingredient in any fraud. "Your parcel is returned today." "Fine with a surcharge if you don't pay within 48 hours." "Your account will be blocked." Haste switches off critical thinking. If you notice a message pushing you to act quickly, there's your first sign that something doesn't add up. We expand on this in how to read the risk signals of a number or message.
It is worth keeping in mind with older people, who may be less familiar with how a QR code works and more inclined to trust the physical medium. If you care for someone vulnerable, our guide on how to protect older people from phone scams can help.
What if I've already scanned the QR code and given out my details?
Don't panic, but act fast. Speed matters more than blame.
- If you gave out banking details, call your bank immediately on the official number (the one on the back of your card or in their app, never one given to you in the message). Ask them to block the card and watch for transactions.
- If you entered passwords, change them as soon as you can, starting with your email and your banking. If you reused that password on other sites, change it everywhere too.
- If you installed an app, uninstall it and run a security scan. If in doubt, go to a trusted technical service.
- Gather evidence. Save the text message, photograph the letter or fake fine and note down the website the QR took you to. They will be useful for filing a report.
- Report it. You can contact INCIBE on 017 (or 900 116 117), also via WhatsApp and Telegram, every day from 8:00 to 23:00 and free of charge. And file a report with the National Police or the Civil Guard.
You'll find the full step-by-step plan in our guide on what to do after giving out your details, within the NoCall guides section.
The square isn't innocent
Quishing doesn't invent a new scam: it recycles the same old phishing and dresses it up in modern clothes. The QR code is neither good nor bad, it's just a channel. The problem appears when you let that channel take away your moment to think.
Take this away with you: treat every unsolicited QR code the way you would a stranger who stops you in the street and asks for your wallet "to verify a detail". However convincing their uniform, you check first. Preview the URL, distrust the rush and always verify through the official channel you already know.
The community is our best defence. If you've received a suspicious text message with a QR code or a number that smells of fraud, look it up and report it in the NoCall spam number directory. Every report helps to stop the next person falling for it. And if you want to understand the ecosystem better, take a look at the current trends and the most reported prefixes.
Received a suspicious call?
Look up the number in NoCall before sharing data, calling back, or clicking any link.
Search a phone number or a company name (ESB, Vodafone and Three...) to check if it has been reported as spam.
