SUBSCRIBE TO OUR BLOG

Section Menu

Spotting and avoiding phishing and quishing scams

posted on Tuesday, November 18, 2025 in SHAZAM Blog

The world is in a constant state of communication. Between emails, texts and phone calls we receive a countless number of messages each day. Most of these are legitimate, but others are cleverly disguised to trick people into giving up their personal or financial information. Here’s how to spot and avoid quishing and phishing scams.

Phishing for information 

Phishing is where criminals send emails to “fish” for sensitive information like passwords, bank account numbers or debit card details. These messages often mimic legitimate companies or people you know or work with to create a sense of urgency. The context of the email may claim you need to update payment information. It may say you need to confirm personal or financial information. Or an email includes an invoice you don’t recognize with a link for a non-traditional way to pay.  

At first glance, these emails look real — but odds are they’re not. They may also contain malicious links or attachments that lead to fake websites. 

Here are some common signs an email could be a scam: 

  • Unusual email address
  • Unexpected messages requesting money, log-in credentials or sensitive information
  • Suspicious links
  • Generic references or greetings
  • Misspelled words or messages with poor grammar

The hidden threat of quishing

Quick response — more commonly known as QR — codes are barcodes that can be scanned with a camera or code reader application. They’re widely used to store data such as URLs, product details or contact information. But they’re also used by malicious actors use to trick people into giving them their personal and financial information.  

Quishing, or QR phishing, is the use of a QR code to redirect a user to a malicious site or link to gain access to the user’s device or personal information. Tactics may include overlaying legitimate QR codes with malicious ones to trick users or relying on traditional phishing tactics such as a too-good-to-be-true deal with murky or falsified details. 

Once the user clicks on the malicious link, they may be prompted to download malware or other harmful software. This can compromise the device and expose sensitive data such as banking credentials, browser history or other mobile activity. 

Protecting yourself from quishing and phishing scams

Whether through a QR code, an email or a text message, bad actors use a variety of communication methods to trick people into sharing their personal or financial information.  

Here are some tips to protect yourself: 

  • Look out for typos and poor grammar
  • Watch out for a false sense of urgency
  • Avoid unusual requests or payment methods
  • Don't click suspicious links
  • Inspect QR codes before scanning to check for tampering or overlays

Stay ahead of fraud with SHAZAM resources

Quishing and phishing are just a couple of ways scammers use social engineering to obtain personal or confidential information. Remaining alert and cautious when interacting with QR codes, or any type of communication, is essential to safeguarding sensitive information. 

Educate your accountholders on how to spot the red flags through your communication channels. SHAZAM Power Marketing has a consumer fraud social media kit featuring a variety of professionally designed graphics and suggested posts to highlight current consumer fraud tactics to keep your accountholders safe from fraudsters. We can also assess the likelihood of your staff falling for one of these attacks. Our social engineering assessment can create a stronger defense to protect your institution, staff and accountholders’ information from being compromised. 

SHAZAM, Inc. and ITS, Inc. provide this blog for general informational purposes only. Our blog may be shared by a direct link wherein the content remains as originally presented and has not been altered. SHAZAM, Inc. and ITS, Inc. assume no responsibility for errors or omissions in the contents on the blog. By using this blog, reader agrees that the information published does not constitute nor is a substitute for legal advice which should only be sought from a qualified, licensed attorney.