Summary: Security researchers and national cyber agencies have repeatedly warned that quishing—phishing delivered via QR codes—scales because humans cannot preview a URL the way they skim an email domain. In parking lots, cafés, and transit posters, attackers overlay cheap stickers on legitimate codes or replace entire signs overnight. The destination may harvest card numbers, install malware profiles, or route victims through credential portals that mimic brand UI.
Retailers that deploy QR for loyalty, parking payment, or feedback loops inherit physical security problems that pure-digital teams rarely model.
Controls that actually help
Tamper-evident sleeves and branded frames make casual sticker swaps more obvious—not foolproof, but they raise effort. Site isolation matters: teach customers to expect a first-party domain, not a random shortener, for payments.
Internally, rotate campaign URLs with expiries for time-limited promos so stale stickers lose value. Pair QR with NFC or printed human-readable URLs where regulation allows—redundant paths reduce single-point fraud.
What legitimate batch QR programs should document
- Which domains are authorized to appear in encoded strings.
- Who can create redirects and which MFA gates protect the dashboard.
- Incident playbooks when a store reports “this poster goes somewhere weird.”
Industry angle
QRBatch users generating thousands of codes for good-faith campaigns should still assume adversaries will copy the visual language of trust. Distinctive module patterns alone do not authenticate; server-side attestation and user-visible domain cues do.
Guidance
- US FBI public service announcements on QR code fraud (search FBI scams and safety for current alerts).
- UK NCSC and equivalent agencies publish advice on suspicious QR links—verify latest regional guidance.