A new and troubling cybercrime tactic has emerged. This week, security experts found handwritten QR code notes taped to public lampposts. These notes appear to be part of a social engineering campaign designed to trick people into scanning malicious QR codes.
One note read: “John, I know you are cheating on me,” followed by a QR code and the message, “here’s the proof it would be worthwhile for everyone to see.” This method uses emotional manipulation to push people into scanning the code.
What Is Quishing?
This tactic is known as quishing, a form of phishing that uses QR codes instead of links in emails. By placing these codes in public, cybercriminals are blending real-world bait with digital traps.
Unlike email-based attacks, these QR codes bypass most security systems. They rely on psychological tricks like curiosity, jealousy, and fear to make people scan without thinking.
Alarming Growth in QR Code Phishing
The use of QR codes in phishing attacks has surged. According to Action Fraud, there were 1,386 QR code scam reports in 2024, up from just 100 in 2019—a fourteen-fold increase.
Data from Hoxhunt shows that 22% of phishing attacks now involve QR codes. Alarmingly, only 36% of employees can spot and report fake QR phishing during simulations.
“Quishing is essentially a form of phishing that cleverly uses QR codes to trick users into visiting malicious websites,” cybersecurity experts explain.
Real-World Psychological Manipulation
The lamppost attack uses emotional hooks to provoke quick action. People often scan without questioning the source, especially when emotional triggers are involved.
Katherine Hart of the Chartered Trading Standards Institute warns that these scams have caused severe financial loss: “We’ve seen huge amounts lost this way. People have seen their life savings gone.”
Some individuals involved in placing QR codes might not even understand they are helping criminal operations. Experts say organized crime is now deeply involved in quishing, creating layers within these networks.
Why This Is So Dangerous
Unlike email scams that can be filtered by security software, QR codes placed on walls or poles are invisible to digital defenses. Victims engage with them voluntarily, often with their phones.
In 2025, quishing attacks rose by 25% and now account for 1 in 8 credential theft attempts. The move from email to real-world placements marks a shift in how cybercriminals operate.
A Call for Public Awareness
Experts say this incident shows that cybersecurity education must evolve. One analyst noted: “Cybersecurity awareness isn’t just for the inbox anymore.” People need to think twice before scanning any QR code, no matter how convincing it seems.
As cybercriminals blend physical and digital tactics, being alert in all environments has become a crucial part of staying safe online.
Public awareness campaigns, workplace training, and common-sense caution can help reduce the effectiveness of these attacks. Never scan QR codes from unknown or suspicious sources, especially in public areas.
