Quishing in Ads: How QR Codes Can Lead Users to Phishing Pages

The once-novel QR codes are now a common technology. Whether you scan them to download an app, claim a discount, pay for parking, access a menu, or register for an event, they’re fast and easy.

And that’s exactly why attackers started paying attention to them.

Security researchers observe a growing number of phishing campaigns built around QR codes over the past few years. A tactic often referred to as quishing, where, instead of sending users directly to a suspicious website, attackers hide the destination behind code and rely on the scan.

The technique isn’t particularly sophisticated, as QR codes often feel trustworthy by default. An interesting challenge: when a malicious QR code appears in an ad, promotion, or landing page, with consequences that can extend far beyond a single click.

So how exactly does quishing work, and why is it becoming a growing concern across the advertising ecosystem?

---

The Hidden Risk Behind a Scan

At its core, quishing is exactly what it sounds like: phishing delivered through QR codes.

No suspicious link to click, just a QR code scan that leads to a malicious destination. And the endpoint can be: a fake login page, a fraudulent payment portal, a malware download, or a website designed to collect personal information.

In many cases, the users don’t even realize anything is wrong until after they submit the sensitive information.

---

Why Users Trust QR Codes More Than They Should

QR codes aren’t dangerous. Creating a layer of separation between the user and the destination is.

When someone clicks a link, they’re usually making a conscious decision based on information they can see. For example, when a scammer asks you to verify your payment details by clicking a link like www.paypalls.gg, you will probably spot the scam, ignore and/or report the request. 

With QR codes, the process works differently because they’re so commonly used. In restaurants, grocery shopping, bus stations, etc., QR codes are almost automatically scanned.

You scan QR codes daily to pay for parking, to connect to Wi-Fi, or to claim a promotional offer. The fact that most of these experiences are completely legitimate has gradually trained users to treat QR codes as routine rather than potentially risky. They gained trust before being verified.

It is this familiarity that creates an opportunity for attackers. A QR code doesn’t look suspicious. In fact, the more ordinary it appears, the more likely users are to trust it.

That’s one of the biggest reasons quishing has grown so quickly, exploiting the users’ expectations instead of a software vulnerability.

---

How a Legitimate-Looking Ad Can Turn Into a Scam

Many people still associate phishing with an email scam. When in reality, QR codes have expanded the number of places where phishing campaigns can appear.

Malicious QR codes can be embedded into:

• Banner ads
• Promotional landing pages
• Affiliate campaigns
• Social media promotions
• App download offers
• Digital coupons
• Event registration pages
• Sponsored content

When a user sees a banner promoting a limited-time discount, they’re encouraged to scan a QR code to access the offer on mobile, instead of clicking a button. The creative looks legitimate, the branding appears familiar, and the promotion itself doesn’t raise any obvious red flags. After scanning, though, the user lands on a phishing page designed to imitate a retailer, payment provider, cryptocurrency platform, or financial service.

At that point, the attack is already underway.

The interesting part is that the advertisement itself may not contain any visible malicious elements. Everything problematic exists behind the QR code. 

That is why it makes advertising campaigns difficult to identify from phishing attempts. 

---

Why This Becomes an Advertising Problem

As users scan a QR code from a promotion and end up on a phishing page, they typically remember the bad interaction happened and become skeptical.

From the user’s perspective, the experience happened on an ad potentially leading to complaints, negative feedback, reduced trust, and in the long-run. After all, the digital advertising ecosystem depends on trust. Users need to trust the ads, and advertisers need to trust the traffic they buy.

Phishing campaigns undermine that trust for EVERYONE involved in this chain. Even when malicious campaigns are eventually removed, the damage to user perception can linger long after the original threat disappears.

---

Why Attackers Are Betting on QR Codes

Several trends have made QR-based phishing particularly attractive throughout the recent few years.

1. Simple adoption

First, QR codes have gone from being a niche tool to an everyday part of digital life – the more common they become, the less attention users pay to individual scans.

2. Mobile behavior

People spend more time on smartphones than ever before, and QR codes fit naturally into mobile experiences because they remove friction and make navigation easier.

At the same time, mobile devices also make verification less likely. URLs are less visible, screens are smaller, and users tend to move quickly between pages. As a result, people often focus on completing an action rather than validating the destination.

And, there’s also a third factor that doesn’t get discussed as often…

3. Traditional phishing channels have become harder to exploit

Email security has improved, browser protections are stronger, and users have become more skeptical of suspicious links.

At the same time, QR codes haven’t yet developed the same reputation, and this is what is making QR codes an attractive alternative to scam users. 

---

The Tricks You’ll See Again and Again

While quishing campaigns vary widely, most follow a handful of familiar patterns, which we are going to share with you below:

---

Fake Discounts and Limited-Time Offers

Urgency remains one of the oldest tricks in the phishing playbook. Users are encouraged to scan a QR code to unlock a discount, receive cashback, claim a gift card, or access an exclusive promotion. Once they arrive at the destination, they’re asked to provide account credentials or payment information.

---

Account Verification Requests

Some campaigns impersonate trusted services and claim that users need to verify account details, update passwords, or confirm payment information. The QR code serves as a shortcut to a convincing phishing page, where a user can share their personal details.

---

Mobile App Downloads

Attackers sometimes disguise malicious destinations as software downloads, app updates, and/or premium features. The QR code redirects them where it’s convenient for the scammer, instead of redirecting users to an official app store. 

---

Event and Registration Scams

Registration forms are another popular target in 2026. Users are promised access to an event, webinar, conference, or exclusive content, when in fact the registration page is fraudulent.

---

Where Ad Networks Enter the Picture

No security system can eliminate every threat completely. However, responsible ad networks implement multiple layers of protection, designed to reduce the likelihood of malicious campaigns reaching users.

These measures often include:

• Advertiser verification
• Creative review processes
• Landing page analysis
• Automated threat detection
• Ongoing monitoring after campaign approval

The problem that quishing introduces is an additional layer that isn’t always visible during a standard creative review. A banner may look completely legitimate while the QR code points somewhere unexpected, or in some cases, dynamic QR codes can even change destinations over time. All of which underline the continuous monitoring, making it just as important as the initial review process.

Specifically why security in digital advertising is rarely a one-time task. Threat actors constantly adapt their methods, and detection systems must evolve alongside them.

---

Watch Out for These Signals

Not every QR code deserves suspicion, as most campaigns using them are entirely legitimate.

Although individually, these signals don’t prove malicious intent, it is strongly advised to pay attention when several of them appear together.

---

Final Thoughts

With quishing, users might think that QR codes are dangerous. When in fact a QR code is just another way of delivering a destination, not a direct source of digital threat. It can open a restaurant menu, launch an app download, complete a purchase, or, in scam cases, direct a user toward a phishing page.

The technology itself is harmless, and what defines the term quishing is the trust users place in the process. People learned to question suspicious emails and unfamiliar links, but QR codes often bypass those instincts because they feel more familiar. For this precise reason, users scan first and think later.

Often, the consequences extend beyond individual victims. A single malicious campaign can affect user confidence, ad reputation, and trust across the broader advertising ecosystem. As QR codes continue to spread across advertising, eCommerce, payments, and mobile experiences, they will remain a valuable tool for legitimate businesses. At the same time, they’ll continue attracting attackers looking for new ways to reach potential victims.