QR codes have become a convenient tool for everything from making payments to accessing menus. As their popularity grows, so does their misuse — especially by scammers. 

A new form of phishing known as quishing (QR code phishing) is targeting unsuspecting individuals by redirecting them to fake websites designed to steal personal and financial information.

What is Quishing?

Quishing uses QR codes to lure individuals into scanning and visiting malicious websites.

These codes may appear in public places like parking meters, restaurant tables, or event flyers — or arrive via email, text, or even traditional mail. 

Once scanned, the QR code can direct users to a spoofed site that looks legitimate, often impersonating a government agency or financial institution.

These are common tactics designed by fraudsters to create urgency and trick users into revealing sensitive data.

• There’s a problem with your account or payment.
   
• Suspicious activity requires a password change immediately.
   
• A package couldn’t be delivered and needs rescheduling.
   
• An unexpected “gift” is delivered and prompts you to scan a QR code to find out who it is from.

How to Prevent a Quishing Scam

Consider these risk mitigation tips to protect yourself and family from quishing scams.

• Think before you scan:
  Consider the source of the QR code. Is it from a trusted organization or a random flyer?
   
• Inspect the link:
  Hover your phone’s camera over the QR code without clicking. This usually reveals the URL—check it carefully for misspellings or odd domains.
   
• Watch for tampering:
  Look for signs of sticker overlays or poor-quality prints that may indicate fraud, especially in public spaces.
   
• Don’t trust display names:
  Scammers often spoof names to appear legitimate and will create URL links that are appear similar to actual organization website addresses.
   
• Avoid unexpected messages:
  If you receive a QR code via email or text urging immediate action, verify the message using a known phone number or website.
   
• Protect your devices:
  Keep your phone updated and use strong passwords with multi-factor authentication.

UnitedOne Credit Union will never ask for login credentials, passcodes, or account numbers with a QR code. If you encounter a suspicious QR code or believe you’ve been targeted, contact us immediately. 

If you ever have questions about online threats or scams, please feel free to contact us. 

Visit our Digital Safety page to discover more insights and tips to keep yourself and family safe from scams and fraud attempts.

Questions? We're happy to help!

Call or text UnitedOne Credit Union at (920) 684-0361 in Manitowoc or (920) 451-8222 in Sheboygan or email us at mail@UnitedOne.org.

 Join UnitedOne Apply for Loan Rates