Cybersecurity experts are sounding the alarm after a recent street-level scam in which a QR code, accompanied by a handwritten note, was found taped to a lamppost. The note, reading “Ammy, I know you are cheating on me… here’s the proof it would be worthwhile for everyone to see,” led unsuspecting passersby to scan the QR code out of curiosity or concern.
This unsettling blend of emotional manipulation and cyber deception has been dubbed “quishing” — a form of phishing that leverages QR codes to redirect victims to malicious websites. Unlike traditional phishing attempts via email, this campaign exploits human emotions like jealousy, curiosity, and fear in the physical world, bypassing standard digital security filters.
Experts warn that this form of attack is not just clever — it’s dangerous. “It targets basic human instincts and emotions,” said one cybersecurity analyst. “Victims are compelled to act before they think — which is exactly what the attacker wants.”
ALSO READ: FCRF Launches Campus Ambassador Program to Empower India’s Next-Gen Cyber Defenders
QR Code Scams Surge 14-Fold; Organized Crime Now Involved
Data from the UK’s Action Fraud indicates a dramatic rise in quishing attempts, with 1,386 incidents reported in 2024 compared to just 100 in 2019 — a 14-fold increase. Recent findings from Hoxhunt further reveal that 22% of all phishing attacks now incorporate QR codes, while only 36% of employees can correctly identify them during simulations.
The proliferation of QR code phishing has drawn the interest of organized crime syndicates. Experts warn that there’s now a “hierarchy of criminals” in place, where low-level actors are paid to paste malicious QR codes in public areas, often unaware of the wider fraud scheme they’re enabling.
According to Katherine Hart from the Chartered Trading Standards Institute, victims have lost substantial sums — in some cases, their entire life savings — as a result of scanning fraudulent QR codes. “This isn’t petty crime anymore. These scams are financing serious criminal networks,” Hart stated.
A Call for Broader Awareness Beyond the Inbox
What makes quishing uniquely dangerous is its ability to bypass traditional cybersecurity measures. Physical QR codes placed in public operate entirely outside the digital perimeters guarded by antivirus software, email filters, or corporate firewalls.
Cybersecurity experts are urging a paradigm shift in public education. “Cybersecurity awareness isn’t just for the inbox anymore,” said one expert. “People must understand that any QR code — whether on a sticker, poster, or note — can be a vector for cyberattacks.”
Security professionals recommend avoiding QR codes in unfamiliar settings and verifying the legitimacy of any prompt before scanning. In the workplace, companies are encouraged to update training programs and simulate physical quishing attacks as part of routine security drills.
The emotional and psychological tactics behind the lamppost incident are part of a broader trend: attackers are blurring the lines between physical and digital deception, creating an urgent need for constant vigilance — in both online and offline environments.