QRTrust Logo
You scan. We protect.
Back to blog
Security

Tagesschau Warns of Quishing: How to Spot QR Code Fraud and Protect Yourself

6 min read

Public broadcasters Tagesschau and rbb warn about quishing: fake QR codes on parking meters, charging stations and in deceptively real letters lead to phishing sites. Here is how to spot QR code fraud and protect your banking and credit card data.

What Tagesschau Reports About Quishing

German public broadcaster Tagesschau, together with rbb (Rundfunk Berlin-Brandenburg), has published an in-depth guide on QR code fraud. The core message: a seemingly harmless scam called 'quishing' is spreading rapidly – and it no longer targets only online users, but anyone who scans a QR code in everyday life.

'Quishing' is a combination of 'QR code' and 'phishing'. Criminals place manipulated QR codes exactly where people trust them blindly: on parking meters, at EV charging stations, on restaurant tables, in emails and even in deceptively authentic letters from banks and public authorities. Scan the code and you land not on the real site but on a perfectly cloned phishing page that harvests login, banking and credit card data.

The tricky part: no one can tell where a QR code leads just by looking at it. That is precisely why quishing is virtually impossible for the human eye to detect – the fraud is often noticed only once the money is already gone.

How the QR Code Scam Works

  1. Criminals build a deceptively authentic copy of a well-known website – for example a parking app, a charging-station operator or online banking.
  2. They generate a QR code that points to this fake site and print it as a sticker or as an official-looking letter.
  3. The fake code is stuck over the original – on parking meters, charging stations or notices – or sent by letter and email.
  4. The victim scans the code to pay quickly or to handle a supposed request, and enters their data on the fake page.
  5. With the stolen access and payment data, the perpetrators drain accounts, trigger debits or sell the identity on the dark web.

Warning Signs: How to Spot Quishing

QR Code Stuck Over Another

A sticker placed over another code, peeling at the edges or sitting crookedly is highly suspicious. Genuine QR codes are usually printed or engraved – not stuck on afterwards.

Unexpected Request for Data

If, after scanning, you are unexpectedly asked for login data, PIN, TAN or credit card details, alarm bells should ring. Reputable providers never request this without prior authentication.

Different or Cryptic URL

Check the address in the scan preview before opening it. Typo domains, foreign endings or cryptic character strings instead of the familiar brand name are a clear sign of fraud.

Time Pressure and Threats

'Final reminder', 'account will be blocked' or 'act now': anyone putting you under pressure wants to stop you from thinking. Real banks and authorities never demand payment via QR code under time pressure.

Why Quishing Is Rising Especially in Metro Areas Like Berlin

In big cities like Berlin the QR code is part of daily life: parking tickets by app, tickets for public transport and rail, restaurant menus, charging the EV or e-scooter. This high QR density is exactly what makes metro areas attractive to criminals – a single fake sticker on a busy parking meter reaches hundreds of potential victims per day. Police and consumer protection agencies record rising case numbers nationwide; documented cases range from Berlin and Brandenburg through Hannover, Frankfurt and Cologne to Dortmund. In one case documented by the Brandenburg Consumer Center, scanned payment links triggered unwanted PayPal payments of over 3,000 euros.

How to Protect Yourself from Quishing

  • Only scan QR codes when the source is clearly trustworthy – and check stickers on machines and charging stations for tampering.
  • Check the URL in the scan preview before you open the page. When in doubt, type the address into the browser manually instead of using the code.
  • Never enter login, banking or credit card data on a page you reached via a QR code.
  • For banking and payments, use only the official app or the web address you typed in yourself – never a QR code from a letter, email or sticker.
  • Keep your smartphone operating system up to date. If you have already become a victim: notify your bank, block the card via the emergency hotline 116 116 and file a report with the police (110).

QRTrust: Check the QR Code Before the Damage Is Done

This is exactly where QRTrust comes in: instead of trusting a QR code blindly, you check it before the destination page opens. Our 6-layer analysis matches every URL in real time against PhishTank, Google Safe Browsing, a local threat database and our own AI – following up to five redirects to the real destination.

That way you see a phishing page before you reveal your data. The exact gap that Tagesschau describes – that you cannot tell where a QR code leads – is the gap QRTrust closes. 100% GDPR compliant, hosted in Germany.

Check a QR code safely now

Sources

*About QRTrust: QRTrust is Germany's first QR code security platform, developed in Dortmund. With AI-powered real-time detection, QRTrust protects citizens and businesses from quishing attacks. 100% GDPR compliant, hosted in Germany.*

Back to blog