QR codes and phishing: why that sticker trick on a parking meter affects your office too

QR codes are everywhere: on menus, parking meters, and invoices. But criminals are increasingly slapping their own sticker on top. Here's how to spot it — and how to protect your team.

A few years ago, QR codes were something you'd only see in an advert. Now you scan them to pay for parking, to settle the bill at a café, to log in to a guest network, and to pay an invoice. Very convenient. But that same convenience makes them an attractive target for fraudsters. The trick is now known as quishing (QR + phishing) — and it hits SMBs harder than you might expect.

What exactly is quishing?

With quishing, the trap isn't hidden in a link in an email — it's embedded in a QR code. That code sends you to a fake website that looks identical to your bank, your payment provider, your Microsoft login, or your supplier. You enter your details and the fraudster logs in right alongside you.

What makes it so tricky: a QR code is just a block of pixels. There's no way to tell with the naked eye where it leads. And because you scan it with your phone — often outside the office, often in a hurry — your natural scepticism switches off.

Three scenarios we've seen over the past few months

1. The sticker on the parking meter

In several towns, fraudsters have pasted QR stickers over the real parking QR codes. Anyone who scanned it landed on a fake payment page and handed over their banking credentials. For a business owner rushing to visit a client: it happens just that fast.

2. The invoice with the "handy" payment QR

Dutch suppliers often include an iDEAL QR code on their invoices these days. Fraudsters have picked up on this: they intercept a genuine invoice, swap out the QR code for their own, and resend it. Everything else on the invoice looks correct — only the IBAN behind the QR is wrong.

3. The "reset your MFA" email

An email that looks like a message from Microsoft 365: "Your two-step verification needs to be reset — scan this QR with your phone." The code leads to a fake login screen. Because it opens on your phone (not your laptop), your work email's filters don't apply, and you don't have the URL bar you're used to checking.

Why QR codes are trickier than ordinary phishing

• You jump between devices. Email on laptop → scan with phone. You step outside your office's security layer.
• URLs are hard to read on mobile. A long link with microsft-login.xyz buried in it is easy to miss on a small screen.
• Scanners open links instantly. Many phones open the link automatically without showing a preview.
• Stickers are physical. No spam filter in the world can stop a sticker on a post.

What you can do this week — without an IT department

Set your phone to "show URL first"

On most iPhones and Android devices you can configure the camera to display the link before opening it when scanning a QR code. Do it. One extra tap, but you'll be able to see whether it says tikkie.me or tikkie-betalen.support.

Agree on one rule for payments

Never pay an invoice via a QR code unless someone has separately verified the IBAN. This is especially important with new suppliers or changed account numbers. Not sure about an IBAN? Run it through our IBAN check — it instantly shows the bank and country, so you can spot a fake account number faster.

No logins via QR

Make this a firm house rule: never log in to a business service via a QR code you received by email. Microsoft, your accounting package, and your bank will never ask you to do that. Always log in via your own bookmark or by typing the URL yourself.

Treat physical QR codes with suspicion

Sticker on top of a sticker? Be sceptical. A few extra minutes of parking costs beats a drained bank account. You can usually still pay with your card or through the app anyway.

Give your team a quick briefing

You don't need to schedule a meeting for this. Five minutes over coffee: show these three examples, explain why QR phishing is really just ordinary phishing in disguise, and agree on the rules above. Done.

What if something goes wrong anyway?

Has someone in your office entered their login credentials on a fake site after scanning a QR code? Take these steps today:

1. Change the password immediately — and everywhere else that password was used.
2. Check your two-step verification settings. Is there an unfamiliar device listed? Remove it.
3. Review recently sent emails and any rules set up in the mailbox — fraudsters often create forwarding rules.
4. If a payment was made: call your bank and report it to the Fraudehelpdesk.

Want to get the basics in order before anything goes wrong? Our 2FA implementation and email security services close the most commonly exploited gaps that quishing slips through. Start there — you can't remove a sticker from a post, but you can secure an unprotected mailbox.