|
👃 Scam Watch
by SniffTest | Issue #1 | May 2026
|
|
|
Welcome to Scam Watch. Each month we cover one scam type in depth, explain how to spot it, and share a practical tip you can pass on. No fluff, no filler.
This month: QR code phishing, also known as quishing.
|
|
|
|
Scam of the month
|
Quishing: when a QR code is the trap
|
|
QR codes became normal during the pandemic and scammers noticed. Quishing (QR code phishing) works by replacing a legitimate QR code with a malicious one. Scan it and you land on a convincing fake site designed to steal your credentials, your payment details, or both.
The attack is effective for a simple reason: you cannot see where a QR code points before you scan it. With a normal link you can hover over it and read the URL. With a QR code, you are committing blind.
|
Where it happens
|
Parking meters: stickers placed over the real QR code direct you to a fake payment page.
|
|
Parcel delivery texts: a fake "missed delivery" SMS includes a QR code to "reschedule," but it leads to a credential or payment harvesting page.
|
|
Restaurant tables: table QR codes for menus are easy to replace with a sticker. Rare but documented.
|
|
Emails from "trusted" brands: emails from fake banks, HMRC, or couriers embed a QR code instead of a link, specifically because security tools are better at scanning links than QR codes.
|
|
The email variant is growing fast. By embedding a QR code image rather than a clickable link, attackers bypass many corporate email security filters that would otherwise flag or block the message.
|
|
|
|
How to protect yourself
|
Before you scan, ask these three questions
|
|
1
|
Does the context make sense? A parking meter asking for payment via QR code is normal. An unsolicited text from a courier you were not expecting is not.
|
|
2
|
Check the URL before you tap. Most phone cameras show a preview of the link when you hover over a QR code. Read it. Does the domain look right? Odd subdomains, misspellings, and unfamiliar extensions are all warning signs.
|
|
3
|
Run it through SniffTest. Copy the URL your camera shows and paste it into doasnifftest.com before you open it. We check it against threat databases, look at the domain age, and flag anything suspicious. Takes about three seconds.
|
If you are at a parking meter or shop and think the QR code might have been tampered with, look for signs of a sticker placed over the original. Edges that do not align, a code that looks slightly raised, or a domain that has nothing to do with the expected operator are all red flags. When in doubt, pay another way.
|
|
|
|
Pass it on
Someone you know will fall for this
Quishing works especially well on people who are not used to thinking twice before scanning. If you know someone who would scan a QR code from an unexpected delivery text without a second thought, forward them this email. It could save them a lot of trouble.
|
|
|
|