04 March 2026
What Is Quishing? QR Code–Based Phishing and an Assessment from a Data Protection Law Perspective
QR code technology has become one of the key tools of the digital economy. From restaurant menus to public services, from e-commerce to financial transactions, QR codes are used across a wide range of contexts and—because they are fast and practical—have become a natural part of user behaviour. However, this widespread adoption also creates an exploitation ground with a low level of suspicion from the attacker’s perspective.
In its Information Note dated 26 February 2026 titled “The Risk Coming with QR Codes: Quishing” (“Information Note”), the Turkish Data Protection Authority (“KVKK”) examines phishing attacks carried out via QR codes in detail and assesses this threat from a personal data security perspective. The Information Note clearly demonstrates that the issue is not merely a technical cybersecurity risk; it is also an area that must be addressed directly within the scope of data protection law.
What Is Quishing?
Quishing (QR phishing) is a phishing method in which malicious URLs are embedded into QR codes, directing users to deceptive websites where their personal data is captured.
In the Information Note, quishing is defined as the use of fake or subsequently altered QR codes to redirect individuals to malicious websites, to persuade them to disclose personal data, or to cause them to download malware onto their devices.
The Information Note also emphasises that QR codes can be divided into static and dynamic types, and that dynamic QR codes pose a significant risk in particular because the destination URL can be changed in the background.
Difference Between Quishing and QRLjacking
QR-based threats are not limited to quishing. The method referred to as “QRLjacking” is a session-hijacking technique targeting QR login flows (QR login). In this method, the user is not redirected to a fake website; instead, the legitimate platform’s QR login flow is abused, enabling the attacker to initiate the session on their own device. For this reason, in QR-based risk assessments, it is important to distinguish between scenarios involving fraudulent redirection and those involving session takeover.
Global Trend and the Scale of the Threat
International cybersecurity reports covering the 2023–2026 period indicate a clear upward trend in QR code–based phishing attacks. It is reported that approximately 10–12% of phishing attacks include a QR code, that QR-based phishing emails have increased dramatically in a short period of time, and that the majority of these attacks focus on credential theft.
In particular, the growing use of mobile devices and the global volume of QR code payment systems reaching the trillion-dollar range have made this area more attractive for financial fraud. These data suggest that quishing is not a temporary trend, but rather has become a permanent component of the phishing ecosystem.
Why Quishing Is Becoming Harder to Detect
The most important factor distinguishing quishing attacks from traditional phishing is that the malicious link is not visible as text. Since the QR code stores the link in a visual format, users cannot assess the destination before scanning.
In addition, most QR interactions take place on mobile devices, and personal phones (BYOD) are often used. This creates an interaction area that falls outside corporate network and email security systems. The fact that QR codes may be delivered via email in image or PDF format can also reduce the effectiveness of traditional URL filtering mechanisms.
How Are Quishing Attacks Carried Out?
The Information Note states that quishing attacks are based on the combination of QR code technology and phishing methods. The attack mechanism generally proceeds through the following stages:
- Creating the Malicious QR Code
- a bank login page,
- an e-commerce account sign-in page,
- a corporate email login panel,
- a payment or campaign verification screen.
- Placing the QR Code in a “Trusted” Context
- Restaurant Menu Scenario:
- Parking / Kiosk Payment Scenario:
- Campaign / Poster Scenario:
- Corporate Email Scenario:
- Scanning the QR Code
- Requesting Data via a Fake Interface
- username and password,
- multi-factor authentication codes,
- credit card details,
- identity information.
- Capturing and Exploiting the Data
- account takeover,
- financial fraud,
- unauthorised access to corporate systems,
- malware distribution.
The attacker generates a QR code that redirects to a fake website. This website is often designed to imitate:
The most critical stage of the attack is placing the QR code in an environment that appears legitimate. At this point, the physical and digital scenarios described in the Information Note materialise in practice through examples such as:
A fake sticker—visually similar to the original—is placed over the QR menu code on the table. While the customer believes they are accessing the menu, they are in fact redirected to a fraudulent page designed to request, for example, “verify your payment details to receive a discount.” The KVKK Information Note specifically notes that QR codes that appear to have been added later or that are incompatible with the overall design are key risk indicators.
The QR code at a parking payment point is replaced, redirecting the user to a payment page controlled by the attacker. When the user enters licence plate and card details, the data are captured.
A QR code placed on a poster offering “50% off” or “enter the prize draw” redirects users to a fraudulent form requesting identity and contact information.
An email titled “account security verification,” “suspicious transaction notice,” or “MFA reset” includes a QR code image. The KVKK Information Note notes that delivering QR codes as visual elements within emails can make link analysis more difficult.
When the QR code is scanned, the mobile device automatically opens the URL embedded in the code. Users often proceed without closely reviewing the link.
The user may be asked for:
The information obtained may be used for:
How Can Quishing Attacks Be Detected?
The Information Note clearly sets out risk indicators in both physical and digital environments.
1. In Physical Environments
- signs of having been added later,
- a QR sticker placed on top of another,
- design inconsistency with the surface,
- unusual campaign offers or “too good to be true” benefits.
2. In Digital Environments
- messages containing QR codes from unexpected senders,
- language designed to create urgency or panic,
- content that does not clearly identify the sender.
3. After Scanning
- the domain not matching the expected organisation,
- immediate requests for identity or payment information,
- unexpected file download prompts,
- additional redirects or unusual interactions.
Risks for Data Subjects
Quishing attacks may result in serious consequences for data subjects, including:
- identity theft,
- financial loss,
- account takeover,
- malware infection,
- long-term misuse of data.
The Information Note recommends checking whether the link opened after scanning is secured via HTTPS, paying close attention to domain-name spelling variations, and, where possible, accessing the relevant organisation directly through the browser. It also notes that strong password policies and the use of multi-factor authentication can help limit damage if credentials are compromised.
Legal Assessment from the Data Controller’s Perspective
Quishing is directly related to data controllers’ personal data security obligations under Article 12 of the Turkish Data Protection Law (Law No. 6698).
A data controller must:
- prevent unlawful access,
- implement appropriate technical and organisational measures,
- make required notifications in the event of a breach.
Social engineering attacks are now regarded as foreseeable risks. Therefore:
- failure to implement MFA,
- failure to provide regular awareness training to employees,
- lack of sufficient control mechanisms in QR-based payment systems
may create compliance risks.
From the GDPR perspective, similar risk-based security and breach notification obligations apply. Managing quishing risk at an organisational level requires measures such as maintaining a QR code inventory, conducting physical environment inspections, implementing controls over dynamic QR redirections, improving visual analysis capabilities for QR codes embedded in emails, and increasing employee awareness through regular quishing simulations.
In particular for financial institutions, anomaly detection for QR-initiated transactions, fraud monitoring systems, and strengthening authentication layers should be regarded as part of a reasonable security standard.
Conclusion
QR codes are an integral part of everyday life; however, when misused, they can create serious risks for personal data.
The broad range of use cases—from restaurant menus to corporate emails—makes quishing an attack method with a low threshold of suspicion. For this reason, both individuals must act with awareness, and data controllers must strengthen their risk-based security approach.
Quishing is no longer merely a technical cyber threat; it is a structural threat area that must be addressed through the lenses of data protection compliance, corporate responsibility, and risk management.
Notification!
