my.UQ

Quishing scams (QR Code Phishing)

  1. Home
  2. Information and services
  3. Information technology
  4. Cyber security
  5. Cyber security at UQ

Quishing (QR phishing) is a cyber attack that uses QR (Quick Response) codes to trick you into visiting a fraudulent website or download malicious software.

QR codes are scanned using the camera on your smart device which allows quick access to open a link or app.

What is the scam?

In a quishing attack, scammers embed malicious QR codes into emails, text messages, physical posters and stickers.

Once scanned, the user may be redirected to a fake login page that looks legitimate, or your device may begin downloading malware without warning.

What to look out for:

  • URL shorteners such as bit.ly or tinyurl that conceal the real web address it links to. 
  • Fake physical stickers over real QR codes in common public areas such as restaurants and cafes.
  • QR codes on signs or leaflets asking you to scan the code to receive deals or prizes that seem too good to be true.

How to protect yourself 

  • Pause before you scan – treat QR codes with the same caution as suspicious links. 
  • Confirm if the link is legitimate before clicking – many devices will allow you to preview the URL before opening it. 
  • Navigate to sites manually by entering the URL into your web browser when credentials need to be input for sensitive actions, such as banking or work-related websites.
  • Look for physical tampering, such as QR code stickers that are pasted over an existing code.
  • Avoid urgent messaging – be cautious of QR codes in emails or messages that pressure you to act immediately. 
  • Set your devices to automatically update to ensure security patches are installed promptly on phones and apps. 
  • Use reputable QR scanners – some QR apps include security features that check links before opening. 
  • Enable multi-factor authentication (MFA) on all accounts, where possible.

How to use QR codes safely

  1. Hover the phone camera over the QR code without clicking any link prompts.
  2. Navigate to the bottom of the screen and click the adjacent icon that allows you to copy the link: 
    • on Android – a small up arrow icon 
    • on iPhone – a square on bottom right
  3. Copy the link.
  4. In your phone's browser, navigate to a trusted URL scanning tool such as: 
  5. Paste the URL link into the URL scanning tool and allow it to process.
  6. Check the verdict, screenshot preview and other characteristics to determine if the link is trustworthy. 

What to do if you have fallen victim 

Work devices

Personal devices

  • If you entered login credentials, change your password immediately. Update any other accounts where you reused the password. 
  • If you entered financial details, contact your financial institution straight away and advise of the situation. 
  • If malware may have been installed, disconnect your device from Wi-Fi and run an anti-malware scan. 
  • Inform friends, family, or colleagues if they may receive suspicious messages from your accounts. 
  • Report the scam to ACCC Scamwatch.
  • Seek help from IDCare if your personal information has been exposed.