The Rise of ‘Quishing’: Protecting Your Business from QR Code Phishing

DuitNow QR codes are everywhere, so are the scams

If you live in Malaysia, you probably scanned a DuitNow QR in the last 7 days without even thinking about it.

Coffee shop counter. Pop up bazaar. Clinic reception. Parking. A little standee next to the tip jar. Someone sends an invoice on WhatsApp and there’s a QR sitting neatly at the bottom like, yep, just scan and settle.

That’s the magic of QR payments. No typing. No account numbers. No “is this the right bank transfer reference?” drama. You scan, you see a name, you approve. Done.

And because it feels normal and safe, it gets trusted by default.

That’s exactly what scammers are leaning on right now.

One scan can send an employee to a fake login page, push them into installing malware, or redirect a payment to the wrong recipient. Sometimes it’s not even the company phone. It’s a personal phone that also happens to have corporate email, saved passwords, work chat, and banking apps sitting right there.

This article breaks down what “quishing” is, how it works in the real world, why businesses are getting hit (not just consumers), and what you can actually do to reduce risk without killing the convenience that makes QR payments useful in the first place.

What “Quishing” is (and why it’s different from regular phishing)

Quishing = QR code phishing.

It’s when a QR code is used as the delivery mechanism for a scam. Instead of a sketchy email link, you get a code that redirects you to:

• a malicious website
• a fake payment page
• a fake login page (bank, e wallet, email, payroll portal)
• an app install (sometimes outright malware)

What makes it different from classic phishing is the “hidden link” problem.

With email phishing, people sometimes catch the red flags. Weird sender address. Bad grammar. Hover over the link and it looks suspicious.

With QR codes, you can’t “hover.” The destination URL is concealed until after the scan, and a lot of scanners will just open the link instantly. On a phone screen, while you’re standing at a counter, maybe with a line behind you, you are not doing deep analysis. You’re just trying to pay and move on.

Also important. Quishing is not “a QR vulnerability.”

The QR code is just a container. The attack is social engineering. It’s criminals exploiting trust, speed, and distraction.

How QR code phishing works in the real world (common quishing playbooks)

Quishing isn’t always sophisticated. In fact, the scary part is how low effort some of these attacks are.

Here are the playbooks that show up over and over.

1) Sticker swap or overlay (the classic)

This is the one businesses should worry about the most because it’s so simple.

A scammer prints a fake QR and places it over the legitimate DuitNow QR at:

• café counters
• self service kiosks
• elevators or lobby posters
• parking meters
• donation boxes at events
• pop up stalls where staff are busy and displays are unattended

To a customer or staff member, it looks normal. They scan, pay, and the money goes to a mule account. Sometimes the first sign is the cashier saying, “Eh, we didn’t receive,” and then the awkward back and forth starts. If the victim is rushed, they might just pay again.

2) Fake “payment confirmation” pages

This is where the QR doesn’t just redirect payment. It redirects to a lookalike page.

Examples:

• “Confirm your payment to proceed”
• “Payment failed. Please log in again”
• “Verify your account for security purposes”

Then the page asks for login credentials, OTP, card details, or e wallet PIN. If someone enters it, the scammer uses those details immediately. OTP based attacks often happen in real time, because the criminal is sitting there ready to transact the moment the victim types the code.

3) Delivery, HR, and admin lures

These show up in offices and shared spaces because they blend in with daily work.

A QR on a flyer, a parcel note, a poster, or even a chat message that claims:

• “Track your parcel”
• “Update payroll details”
• “Claim reimbursement”
• “Verify your EPF details”
• “Confirm attendance” (for events, trainings, town halls)

You scan, you land on a fake Microsoft 365 login, or a fake HR portal, or a fake Google page. Credentials get harvested. Then comes the next stage: account takeover, internal phishing, invoice fraud.

4) App install routes (the one that gets ugly fast)

A QR leads to an APK download or prompts the user to install a “security update” app or “payment helper” app.

On Android especially, this can turn into:

• malware that reads SMS (including OTPs)
• banking trojans
• overlay attacks that mimic real app screens
• device compromise that sticks around after the initial incident

And again, the common ingredient here is speed. People scan, glance, approve. They do not verify the recipient. They do not question why a payment needs an app install. They are just trying to finish the task.

Why businesses are a prime target (not just consumers)

It’s tempting to treat quishing as a consumer problem. Like, oh, that’s for shoppers at cafés.

But businesses are a really attractive target because QR codes sit right inside business workflows now.

Employees scan codes for:

• vendor payments and invoices
• shared office kiosks and printers
• corporate events and registration links
• deliveries and building access notices
• parking and facilities payments
• expense claims and reimbursements

And the risk is blended. Personal phone gets compromised, then corporate risk follows.

Because most people have:

• work email on their phone
• Slack/Teams/WhatsApp groups
• password managers or saved passwords
• Google Drive, OneDrive access
• sometimes even admin or finance access via mobile

The impact is not theoretical either.

Financial impact

• misdirected payments to mule accounts
• reimbursement fraud
• invoice redirection scams after email compromise
• chargebacks and dispute handling
• incident response costs, time, forensics, cleanup

Operational impact

• account takeover (email, e wallet, internal tools)
• data exposure (attachments, customer lists, contracts)
• business interruption while access is reset and systems are checked

Reputational impact If customers scan a QR at your premises and get scammed, they won’t remember “it was a third party sticker.” They’ll remember your brand and your counter.

Regulatory and contractual risk If personal data gets exposed, you may have PDPA implications depending on what was accessed and how the breach occurred. Even when it’s not strictly reportable, you still deal with customer trust issues, vendor questions, audits. All the painful stuff.

4 quick tips for employees to spot fake QR codes (share this internally)

If you do nothing else after reading this, copy these 4 tips into your company chat. Put it in onboarding. Stick it in a “Security basics” doc. Because the fastest wins come from staff simply pausing for a second.

Tip #1: Inspect the physical QR before scanning

This sounds almost too basic, but it works.

Look for:

• sticker over sticker
• misaligned edges
• bubbles, wrinkles, peeling corners
• a QR that looks freshly placed compared to the sign or standee
• two different print qualities (new shiny sticker on an old matte board)

If it feels tampered with, don’t scan it. Use an alternate payment method and alert staff or your manager.

Tip #2: Pause at the preview step

Use a scanner that shows you the destination first. If your phone auto opens links immediately after scanning, consider changing settings or using a safer scanner option in your payment app.

Watch for:

• misspellings and odd domains
• URL shorteners
• random strings and suspicious subdomains
• pages that don’t match what you expected (why is this opening a browser when it should open the banking app?)

If the link looks off, stop. Take a screenshot if safe to do so and report it.

Tip #3: Verify payee details every time

In the payment app, confirm the merchant or recipient name. Check any identifiers shown, last digits, account info, merchant label.

If it doesn’t match the venue, vendor, or invoice you’re paying, cancel and ask for the official code. Don’t let “close enough” be good enough. Scammers rely on you accepting something that looks vaguely right.

Tip #4: Treat QR prompts like phishing, because they are

If a page asks for:

• OTP
• passwords
• “re login”
• card details
• e wallet PIN
• or asks you to install an app to complete payment

Stop immediately.

A normal payment flow should not require you to hand over credentials on a random web page. And it definitely should not require installing an app from a QR code.

What to do next (simple internal playbook)

• Don’t proceed with the scan
• Take a photo of the QR display if you can do it safely
• Notify your manager or IT/security contact
• Use an alternate payment method
• If money was sent or credentials were entered, report immediately. Time matters with fraud

Quishing prevention for businesses: practical controls that actually reduce risk

You don’t need a big budget to reduce QR related fraud. You need basic control points in the places where QR codes live.

1) Harden your QR displays (physical security)

If you use static printed DuitNow QR codes at a counter or kiosk, treat them like cash handling equipment, not like a random poster.

Do this:

• laminate the code
• place it behind the counter or in a branded holder
• use tamper evident seals (simple ones help)
• avoid leaving QR standees unattended in public areas
• schedule checks (opening, shift change, closing)

That last one matters. Make it routine. If nobody “owns” the QR standee, nobody notices when it gets replaced.

2) Use dynamic or verified QR where possible

Static QR codes are convenient but easy to hijack physically.

If your setup allows it:

• rotate codes periodically
• generate per transaction QR codes
• use POS systems that generate a QR at checkout
• avoid leaving a single printed QR in the same spot for months

The goal is to reduce the attacker’s window. If the code changes often, sticker attacks become less effective.

3) Browser and link handling defaults

On staff devices, reduce risky behavior by default:

• disable auto open from QR scanning where possible
• prefer in app scanners that show destination or merchant info
• ensure safe browsing protections are enabled
• keep OS and browser updated (boring advice, still real)

This is especially relevant if staff scan QR codes as part of operations, not just personal payments.

4) Payment workflow guardrails

A lot of business losses happen because one person can pay, approve, and reconcile without friction.

Consider:

• transaction limits for staff payments
• secondary approval for higher amounts
• separate payer devices from admin accounts
• don’t store high privilege credentials on personal phones if you can avoid it

Even a simple rule like “anything above RMX needs a second pair of eyes” cuts down the damage from one rushed scan.

5) Monitoring and response readiness

Most businesses don’t have a clean way for employees to report “something feels off.”

Make it easy:

• a dedicated channel like #security or a simple Google Form
• clear steps: isolate the QR display, switch to alternative payment, inform manager, contact bank/payment provider if needed
• train front line staff on what to do if a customer says “your QR sent me somewhere weird”

And yes, have the contact info ready. Bank hotline, payment provider support, internal IT contact. When panic hits, nobody wants to hunt for numbers.

Wrap up: QR payments can stay fast, if you add one extra second of verification

DuitNow QR is not going away. It’s too convenient, too embedded into daily life. The goal is not to scare people away from QR payments.

It’s to stop trusting by default.

Quishing is just phishing delivered through a QR code. It works because mobile users are rushed, screens are small, and the link destination is hidden until it’s already opened. For businesses, the impact can be bigger than a single bad payment. It can become account takeover, data exposure, reputational damage, and a compliance headache.

The practical move is simple:

• Share the 4 employee tips internally
• Audit your QR displays this week, physically
• Set a basic reporting process so staff know what to do when something looks off

One extra second of verification is usually all it takes to break the scam.

FAQ: Quishing and QR code phishing

1) Is DuitNow QR itself insecure?

No. DuitNow QR is not “broken.” Quishing is social engineering. Scammers are abusing QR codes as a delivery method, usually by replacing or overlaying legitimate codes, or by tricking users into scanning malicious ones.

2) How can I tell if a QR code sticker has been tampered with?

Look for sticker over sticker, peeling corners, bubbles, misalignment, or a QR that looks newer than the surrounding sign. If it feels suspicious, don’t scan and alert staff or your manager.

3) What should employees do if they scanned a QR and entered credentials or an OTP?

Treat it as urgent. Stop immediately, inform IT/security, change passwords, revoke sessions where possible, and contact the bank or e wallet provider if financial details were involved. The faster you react, the better the chance of limiting damage.

4) Can iPhones get infected via quishing?

iPhones are generally more restrictive with app installs, but quishing can still steal credentials via fake login pages and can still redirect payments. The risk is not only “malware.” It’s also account takeover and fraud.

5) Are dynamic QR codes safer than static printed ones?

Usually, yes. Dynamic or per transaction QR codes reduce the effectiveness of sticker overlay attacks and make it harder for scammers to keep a malicious code in place for long.

6) Should businesses ban QR scanning on personal phones?

Not always realistic. A better approach is to reduce exposure: limit what personal devices can access, enforce MFA, avoid storing admin credentials on personal phones, and implement approval limits for payments. Then train staff on the 4 tips so they can spot scams in the moment.