Quishing & Physical-Digital Attack Convergence
We have spent years learning not to click suspicious email links. Attackers responded by moving the links into the physical world.
The Parking Meter That Was Not Official
Sarah was running late for a meeting. She found a spot, rushed to the parking meter, and saw a bright yellow sticker in the centre: "Pay Faster. Scan to Park."
She scanned it. A page appeared that matched the city's parking portal exactly. She entered her card details, paid $4.00, and left.
By evening, $2,400 in unauthorized charges had appeared on her card.
The sticker had been placed on the meter at 2am. The page was a clone. The QR code is invisible to the eye - there is no way to read its destination without scanning. And the physical context - a government meter, a familiar location - disabled every skeptical instinct she had.
What Is Actually Happening
A QR code is a visual URL. It goes wherever the creator pointed it. Physical placement gives it authority the URL does not earn.
3x
more likely - how much more often people enter payment details via a physical QR code compared to an email link.
The physical object creates unearned trust. A parking meter, a restaurant table, a transit sign - each transfers credibility to whatever is attached to it.
Source: Behavioral Cybersecurity Research Institute, 2024587% Increase in QR Code Phishing in 2024
Quishing attacks rose 587% in H1 2024 compared to the same period in 2023. Parking meters, EV chargers, and restaurant menus are the most targeted physical locations.
Physical QR Codes Bypass All Enterprise Filters
A QR code on a physical surface reaches the victim's personal device directly. It bypasses every email filter, firewall, and corporate security tool because it never travels through a monitored channel.
Stress Disables Verification Instinct
Quishing attacks at parking meters and transit stops are effective because the target's attention is split: avoiding a penalty or being late overrides the mental bandwidth needed to verify a URL.
Parking, EV Chargers, Restaurants, Transit
The FBI has issued warnings specifically about fake QR codes on parking meters and EV charging stations. Restaurant menus and public notice boards are also active attack surfaces.
Where Physical Trust Becomes a Vulnerability
Parking meters and EV chargers: Attackers print stickers that overlay the legitimate QR code. The physical context - a government or corporate asset - makes the scan feel safe.
Restaurant tables and menus: QR menus became common during the pandemic. Fake codes on restaurant tables redirect to credential-stealing "Free WiFi" portals or cloned ordering pages.
Public transit and posters: Fake "Scan to win" stickers on bus stops and lampposts use curiosity as the trigger. They cast a wide net, relying on high foot traffic rather than contextual trust.
Delivery parcels: QR codes printed on fake delivery notices are placed in letterboxes. Victims scan to "reschedule delivery" and enter personal details on a harvesting page.
The core mechanic is the same in every location: the physical object lends authority to the QR code. The moment you scan, you have left the physical environment and entered a digital one with no visible signals of where you actually are.
Practice: Scan or Skip
Six QR codes in real-world contexts. For each one, decide: safe to scan, scan with caution, or skip. The risk level and documented attack cases are revealed after each choice.
What That Just Showed You
1. Physical context overrides digital skepticism. A QR code on a parking meter feels different from a link in an email - even though both go to the same place. The physical object provides trust the URL has not earned.
2. The URL preview is the only check available. Before the tap, your phone shows a URL preview. That is your one window to verify where you are going. A city parking domain should match exactly - not a variant, not a redirect.
3. Urgency is always a component. Every high-yield quishing location - parking, transit, delivery - carries time pressure. That pressure is not incidental. It is what makes the attack work.
Three Things Worth Doing
1. Run your fingernail over any QR code at a payment terminal. If a sticker has been placed over an original code, the edge is detectable. This takes two seconds and catches most parking meter and EV charger attacks.
2. Read the URL preview before tapping. When you scan with your phone's camera, a preview URL appears. Stop and read it. City parking, restaurant, or courier domains should exactly match what you expect. Any mismatch: close it.
3. Use the official app instead of the code. For parking, transit payments, and deliveries: open the known official app directly. Use nothing from the physical surface. This eliminates the attack entirely.
One Question Before You Continue
Why are malicious QR codes in physical locations more effective than the same link sent by email?