Manipulated QR codes on parking meters, in letters and on parcel labels – quishing is the fastest growing fraud scheme in Germany.
QR codes are ubiquitous: in restaurants, at electric vehicle charging stations, on parking meters, in letters and emails. Scammers exploit this very ubiquity. In so-called quishing – a combination of "QR code" and "phishing" – manipulated QR codes are used to redirect victims to fake websites and steal login credentials, credit card information, or other sensitive data. The German Federal Office for Information Security (BSI) now classifies quishing as an acute threat, and security experts recorded a fivefold increase in malicious QR codes by the end of 2025. Around 20 percent of all phishing attacks are now based on QR codes.
Why QR codes are a perfect tool for fraudsters
The fundamental problem is simple: the URL contained in a QR code is not visible before scanning. While you can at least check the address of a link in an email before clicking, with a QR code you're trusting that the code leads to the correct destination. Scammers deliberately exploit this blind trust.
Furthermore, attackers have a technical advantage: Conventional spam filters in email programs recognize links in the text and can block them. QR codes, however, are treated as image files and pass through the filters undetected. The attack shifts from the protected computer to the less secure smartphone – where corporate firewalls and desktop security software are ineffective.
The most common Quishing scams
Parking meters and EV charging stations: In Kassel, fraudsters affixed fake QR codes to over 300 parking ticket machines – professional stickers designed to resemble the EasyPark payment service. Anyone scanning the code landed on a deceptively authentic payment page. After a few seconds, the page even redirected to the genuine EasyPark website – but by then, the credit card data had already been stolen. Similar cases have been reported from Hanover, Frankfurt, Cologne, Dortmund, and Berlin. The same scam works at EV charging stations, where fraudsters cover the original payment codes with stickers.
Fake bank letters: A particularly brazen scam involves criminals sending letters in the corporate design of savings banks, cooperative banks, or Commerzbank. The letters urge recipients to renew a security procedure such as pushTAN or photoTAN via a QR code. The code leads to a fake login page. The Lower Saxony State Criminal Police Office (LKA Niedersachsen), the Federal Financial Supervisory Authority (BaFin), and several consumer protection agencies have issued official warnings.
Fake package notifications: Scammers are distributing counterfeit notification cards designed to look like DHL cards in mailboxes. The QR code on the card leads to a phishing website that requests personal or banking information. Important to know: While DHL does use QR codes on genuine notification cards, these cards never request personal or payment information. If you are asked to enter your bank details after scanning the QR code, it is a scam. Always check tracking numbers using the official Post & DHL app or at dhl.de.
Fake posters on public transport: In Düsseldorf, fraudsters hung fake posters on buses and trams promising to "win 10,000 Germany tickets." The QR code led to a website for identity theft. People expect to see official advertising on public transport – and that's exactly what the perpetrators are counting on.
QR codes in emails: Current campaigns target users of streaming services like Spotify or Disney+. Subject lines read "Problems with your last payment" or "Update required." Instead of a clickable link, the emails contain a QR code that bypasses conventional spam filters.
Five rules to protect against Quishing
First: Check the URL preview. After scanning a QR code, the iPhone camera displays a preview of the target URL before you open it. Take a second and carefully check the displayed address. Look out for typos in the company name, unusual domain extensions, or suspiciously long URLs. If in doubt: don't open it.
Secondly: Use official apps instead of QR codes. Download payment apps like EasyPark, ADAC, or your charging station operator's app directly from the app store. This way, you completely avoid manipulated QR codes at vending machines. The same logic applies to banking: Always use your bank's official app instead of a QR code from a letter or email.
Third: Look out for signs of tampering. Check QR codes in public spaces for visible adhesive residue, stickers covering the original code, or edges that indicate they have been covered up. If a vending machine has a display, scan the code from the display rather than a sticker.
Fourth: Do not enter sensitive data after scanning a QR code. If you are unexpectedly asked to enter login details, PINs, TANs, or credit card information after scanning a QR code, this is a clear warning sign. Reputable providers never request such information without prior authentication.
Fifth: Be wary of bank letters with QR codes. If you receive a letter from your bank with a QR code, call the official hotline before scanning the code. Legitimate banks generally do not request QR code scanning via mail. Also, check whether you are addressed personally – fake letters often use generic salutations such as "Dear Account Holder".
What Quishing has in common with Phishing and Smishing
Quishing, phishing, and smishing are three variations of the same basic strategy: fraudsters impersonate trusted senders and create a sense of urgency to trick victims into revealing sensitive data. The only difference lies in the transmission method – email, SMS, or QR code.
The security principles are therefore universal: Don't click or scan anything unexpected. Never enter passwords, PINs, or TANs via a link or QR code that you haven't accessed yourself. Use two-factor authentication for all important accounts – our article Creating & Managing Secure Passwords shows you how to set this up in your passwords app. And when you're using a public network, protect your connection even further – you can find all the tips in our article Using Public Wi-Fi Securely.
What to do if you've fallen victim to Quishing?
If you entered data on a suspicious website after scanning a QR code, act immediately. Block your credit or debit card right away by calling the emergency hotline 116 116. Change any passwords you entered on the site. Contact your bank and inform them about the incident – unauthorized transactions may still be stopped. File a police report, including via your state's online police station. And check your bank statements for any unfamiliar debits in the following days.
Scanning QR codes – but with common sense
QR codes are convenient and here to stay. That makes it all the more important to treat them with the same skepticism as links in emails or text messages. The rule of thumb: If you're not expecting a QR code, don't recognize it, or it seems suspicious – don't scan it. Instead, use official apps, manually type addresses into your browser, and check the URL preview on your iPhone before opening a page. This way, you'll stay safe even in a world full of QR codes. The best products for you: Our Amazon storefront offers a wide selection of accessories, including those for HomeKit. (Image: Shutterstock / ImageFlow)
- Use public Wi-Fi safely: How to protect your iPhone
- iOS 26.4: Show Hotspot Data usage per Device
- Recognizing Smishing: How to protect yourself from SMS fraud
- Create and manage secure passwords: The Apple guide
- WhatsApp hacked: How to protect your Account
- Recognizing Phishing: How to protect yourself from fraud
- Creating, Changing, and Deleting an Apple ID: The complete Overview
- Activate iPhone Call forwarding: All Methods under iOS 26
- iPhone vibrates for no Reason: Causes and Solutions under iOS 26
- Connecting and resetting AirPods: Instructions for all Models
- AirDrop not working: All Solutions for iOS 26
- iPhone loading slowly: Causes and Solutions under iOS 26
- iPhone Screen Recording: Instructions for iOS 26
- How to view your Wi-Fi Password on your iPhone: All Methods under iOS 26
- iPhone Update Problems: All Solutions for iOS 26
- Creating an iPhone Backup: All methods under iOS 26
- Transferring Data to a new iPhone: All Methods under iOS 26
- Clear History on iPhone: Safari, Chrome and more
- Disable Audio Zoom on iPhone
- iPhone Battery drains quickly: Here's how to extend Battery Life under iOS 26
- Resetting your iPhone: All reset methods under iOS 26
- iCloud Costs: All storage plans, prices, and which one is worth it
- Recording an iPhone call: What works in Germany – and what doesn't
Frequently Asked Questions: How to Recognize Quishing
Quishing is a scam in which criminals use manipulated QR codes to redirect victims to fake websites. There, sensitive data such as passwords, credit card information, or banking login details are stolen. The term is a combination of "QR code" and "phishing.".
Manipulated QR codes are placed on parking meters, electric vehicle charging stations, in forged bank letters, on package notifications, on public transport posters, and in phishing emails. Fraudsters often cover the original codes with professionally designed stickers.
Simply scanning a QR code on an iPhone isn't dangerous – the camera initially only displays a preview of the target URL. It only becomes dangerous when you open the page and enter data or follow a prompt to install something. iOS inherently protects against installing apps from unknown sources.
Check for visible adhesive residue, stickers covering the original code, or edges that indicate the code has been covered over. If the machine has a display, scan the code from the screen. If in doubt, use the official app of the payment service instead of the QR code on the device.
Yes, DHL can use QR codes on genuine notification cards – however, these only redirect to official DHL pages and never request personal data or payment information. If you are asked to enter bank details, passwords, or credit card numbers after scanning, it is a scam. If in doubt, always check tracking numbers using the official Post & DHL app or at dhl.de.
Block your credit or debit card immediately by calling the emergency hotline 116 116. Change any passwords you entered on the suspicious website. Contact your bank to stop any unauthorized transactions. File a police report and check your bank statements for any unfamiliar charges in the following days.
All three are variations of the same strategy: fraudsters impersonate trusted senders to steal sensitive data. The difference lies in the transmission method – phishing occurs via email, smishing via SMS, and quishing via manipulated QR codes. The protective principles are identical for all three scams: never click on or scan anything unexpected and never enter sensitive data via an unverified link.
