Crypto Ticker (Custom)
Join now

Cart 0

Sorry, looks like we don't have enough of this product.

Products
Pair with
Is this a gift?
Subtotal Free

Shipping, taxes, and discount codes are calculated at checkout

Your Cart is Empty

What is Quishing?

What is Quishing?

Don’t Scan That QR Code

“Quishing” is a newer form of phishing that uses QR codes instead of dodgy links. The scam works like this: you scan a QR code – on a flyer, an email, or even a social media post – thinking it’ll take you somewhere safe. Instead, it redirects you to a malicious site designed to steal your login details, seed phrase, or trick you into making a payment.

In Australia, QR codes have become a common part of everyday life since COVID check-ins. Scammers know we’re used to pointing our phone cameras at a square barcode without thinking twice. That trust is what makes quishing effective.


Why Crypto Investors Are a Prime Target

Crypto investors are especially vulnerable to quishing for a few reasons:

  • Seed phrase theft: Fake wallet recovery sites or “airdrop claim” pages ask you to enter your recovery phrase. Game over if you do.
  • Exchange login traps: Scammers clone the login page of major Australian exchanges like CoinSpot, Swyftx, or Independent Reserve to harvest credentials.
  • Malware installs: Some QR codes prompt you to download a malicious “wallet app” or browser extension.
  • Payment redirection: QR codes on invoices or billboards may be swapped with codes that redirect payments to scammer wallets.

One Australian SMSF trustee recently reported seeing QR codes placed over legitimate hardware wallet support stickers. Scammers are betting you won’t notice.

Red Flags to Watch For

  • QR codes from unknown emails, flyers, or unsolicited messages.
  • Codes that take you to a URL that looks “off” – extra letters, unusual domains (.top, .xyz).
  • Being asked to “urgently recover” or “verify” your wallet.
  • Free crypto or airdrops that require your private keys.


If You’ve Scanned a Dodgy QR

  • Stop entering information: If you’ve scanned and landed on a login or wallet page, close it immediately.
  • Change passwords: If you entered exchange credentials, change them straight away.
  • Enable 2FA:Two-Factor Authentication) – Use an authenticator app, not SMS, to add a security layer.
  • Move your funds: If your wallet seed phrase was exposed, transfer assets to a brand-new wallet immediately.
  • Scan your device: Run antivirus or mobile security software to check for malware.
  • Report it: Lodge a report with Scamwatch
     and your exchange’s support team.


What To Do If Compromised

If you suspect your crypto has already been stolen:

  • Cut off the compromised wallet: Never reuse a wallet once its seed phrase is exposed.
  • Preserve records: Save screenshots, transaction hashes, and the QR code if possible. This helps with investigations and audit compliance (especially if you’re running an SMSF).
  • Report to authorities: Notify Scamwatch and the Australian Cyber Security Centre (ACSC). Your exchange may also be able to flag addresses.
  • Review your security layers: Consider using a hardware wallet, setting a passphrase, and keeping backups on steel plates or offline.


Security Check

  • Device: Is your phone running security updates?
  • Wallet: Is your recovery phrase offline and never typed into a website?
  • Backups: Do you have multiple secure copies?
  • Recovery: Have you tested moving funds from backup?


The Final Buzz

QR codes aren’t bad technology – they’re just another attack surface. Scammers are counting on Australians to scan without thinking. For crypto investors, a moment’s inattention can cost thousands.

Lock it down: verify QR codes before scanning, double-check URLs, and never type your seed phrase into a website.


Stay safe. Stay smart. Be Crypto Safe.

Education is your best defence. Unlock member-only guides, checklists, and tools designed to protect your crypto, stay safe and be compliant.

Got a question about this article? Send us a message:

Fields marked with an asterisk (*) are required.

This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.

DISCLAIMER: All information on Be Crypto Safe is general in nature only and does not take into account your personal objectives, financial situation or needs. You should consider whether any information on Be Crypto Safe is appropriate to you before acting on it. These materials are for general information purposes only and are not investment advice or a recommendation or solicitation to buy, sell, stake, or hold any crypto asset or to engage in any specific trading strategy. Be Crypto Safe makes no representation or warranty of any kind, express or implied, as to the accuracy, completeness, timeliness, suitability or validity of any such information and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.
© Copyright Be Crypto Safe Pty Ltd 2016-25. Copyright for this guide belongs to Be Crypto Safe Pty Ltd, and cannot be reproduced without express and specific consent.