Cybersecurity

20/11/2025

QRshing: a new threat hidden in QR codes

QR codes have become part of our daily lives—from digital menus at restaurants to app logins, promotions, event tickets, or downloading information.

🎯 We’ve caught you! But relax— this time it’s for your digital safety

If you’re reading this, it means you scanned a QR code. And yes, in the world of QRshing, that’s already an act of bravery (or blind trust). But don’t worry: this QR is legitimate, safe, and designed to leave you with something far more valuable than just a link… knowledge to make sure you don’t get tricked next time you scan.

🕵️‍♀️ Why should you be concerned?

QRshing: A new hidden threat behind QR codes

QR codes have become part of our daily lives—from digital menus at restaurants to app logins, promotions, event tickets, or downloading information. Their convenience has turned them into the perfect disguise for cybercriminals.

Here’s the catch: if you scanned this QR, you’re already part of the 99% of users who do so without thinking twice. And that’s exactly what cybercriminals are counting on.

QR codes

What is QRshing?

QRshing is a phishing variant that uses QR codes as bait—that’s where the name comes from. It’s the modern version of the classic “click here” scam, now hidden in posters, menus, promotions, apps, and even coffee machines. By scanning a malicious QR, you could be redirected to a fake website that mimics a legitimate one or even download malware without realizing it.

 

Why is it dangerous?

When you scan a QR code, you’re opening a door without knowing what’s behind it until you’ve already stepped through. Here is how scammers use this technique to:

• Install malware on your device.
• Redirect you to fake pages that look like banks, online stores, or trusted services to steal your personal or financial data.
• Impersonate legitimate entities to obtain login credentials.

How to avoid falling into the QRshing trap

Prevention is your best defense. To stay safe, here’s your digital survival toolkit:

  1. Verify the source and purpose of the QR before scanning: Where are you? Who placed it there? Does it look like it was pasted over another code? If it is in a trustworthy place, life a restaurant menu, it’s safer than one on a random public poster.
  2. Disable the automatic URL opening feature when scanning: Always check the link first, remember the control is in your hands.
  3. Check the URL: Does it belong to the official domain of the product or service? Does it look suspicious?
  4. Inspect for stickers over the original QR: Avoid scanning tampered codes.
  5. Never share personal or banking data without first confirming the site’s authenticity: Use trusted tools to analyze links before accessing.
  6. Be cautious with shortened or suspicious URLs: Not all are malicious, but all deserve your attention.
  7. Keep your security systems active and applications updated: Your antivirus and official apps are your digital shield - avoid installing strange files (.apk, .exe, etc.).
  8. Prevent downloading suspicious files (.apk, etc.): Only download apps from official sources like Google Play Store (Android) or Apple App Store (iPhone).

 

Still unsure? When in doubt, prevention is in your hands—and it’s your best defense.

QRshing serves as a reminder that cybersecurity starts with our own digital habits. QR codes are useful and practical, but they also demand good digital hygiene. So, if you ever feel suspicious or have doubts, don’t ignore it—reach out to your Corporate Security or Resilience team. They’re there to help, validate links, analyze risks, and protect you.

🚀 Cybersecurity starts with you

Now that you know what QRshing is, you can proudly call yourself part of the conscious scanners club.

Share this information and become a cybersecurity ambassador.

At Redsys, we continue working to ensure that innovation and security always go hand in hand—because every scan counts, and every informed user is one step closer to a safer digital world.