Ever since the pandemic began, weâve gotten used to seeing those black-and-white squares everywhere. We scan them to view restaurant menus, pay for parking, or connect to Wi-Fi. Itâs convenient and fast, isnât it? Well, hackers in 2026 are banking on exactly that convenience.
The new scam is called Quishing (a combination of "QR" and "Phishing"). At Altanet Craiova, weâve noticed an increase in these attacks in public spaces, and we want to teach you how to tell the difference between a useful code and a dangerous trap.
What is Quishing and how does the "sticker attack" work?
Unlike complex viruses that require programming, Quishing is frighteningly simple and physical. The hacker doesnât hack the restaurantâs server. They simply print their own QR code on a sticker and stick it over the original code on the table or parking meter.
You take out your phone, scan the code on the table, convinced youâll see the daily menu, but youâre redirected to a fake site. There, youâre asked to âconfirm your ageâ by entering your Facebook details or to âpay a small feeâ by entering your card information. The moment you hit Enter, the hacker has everything.
Where are you most at risk?
Hackers choose crowded places where people are in a hurry and not paying attention:
- Public parking meters: This is the scammersâ favorite spot. They stick a fake sticker that says âScan here to pay for parking online.â The website looks identical to the cityâs official site, but your money ends up somewhere else.
- Restaurant menus: If the menu is taped directly to the table, check to see if thereâs another layer of paper taped over it.
- Bus poles and stops: Posters promising âPrize contestsâ or âFree Wi-Fiâ if you scan the code.
How to scan safely? (Golden rules)
You donât have to stop using technology, but you should be a little more suspicious. Hereâs what to do before you pick up your phone:
- The touch test: Before scanning, run your finger over the code. If you feel the edges of a sticker pasted over the original poster, DO NOT scan it. Notify the venue staff immediately.
- Check the link ("Preview"): Most modern phones show you a small text with the website address before opening it. If you scan a menu and the link is bit.ly/kjsd83 instead of restaurantname.ro, itâs a trap.
- Avoid direct payments via QR codes: If possible, use the official parking app or pay at the cashier. Itâs much safer than a website accessed via a code found on the street.
To see how widespread this phenomenon is and how authorities are responding, you can read the warnings issued by Kaspersky about the dangers of phishing.
Conclusion
A QR code is just a shortcut to a website. Just as you wouldnât click on a suspicious link received via text message, you shouldnât scan any suspicious code stuck on a pole. Stay vigilant and watch out for overlapping âstickers.â
Want to train your employees on physical and digital security risks? Our team offers comprehensive IT consulting and services for businesses. Visit our contact page and protect your business.
This material is part of Altanetâs educational series on digital security. Want to know what other risks youâre facing this year? See the complete list of cyber threats for 2026.
