Manipulated QR codes and quishing

QR codes have long been part of everyday life: they make it easier to open websites, pay by smartphone or access digital content. This convenience is also a structural risk. Criminals use manipulated QR codes to steal data, access data or authorize bank transactions – a phenomenon that now has its own name: quishing (a combination of “QR” and “phishing”). Quishing leads to considerable financial losses, particularly in the area of classified ad platforms and private transactions.

This article explains how manipulated QR codes and quishing work, why conventional protection mechanisms such as two-factor authentication (2FA) are not always sufficient, what legal problems arise from this and how those affected can effectively protect themselves and act in a legally correct manner.

How does quishing work technically and psychologically?

A QR code is technically nothing more than a coded URL. As soon as a smartphone scans it, a link is opened – without the target address being visible beforehand. Attackers take advantage of this behavior by generating QR codes that link to deceptively real, fake websites. After scanning, victims often uncritically open a page that appears authentic and enter access data, TAN codes or personal information. In many cases, the perpetrators go one step further and use social engineering: they create pressure situations (“release payment, otherwise the offer will expire”) to force a 2FA confirmation.

In classic phishing, manipulated emails with links are sent. In quishing, on the other hand, the “link” is already distributed as a QR code – via messengers, advertising portals, printed flyers, stickers in public places or direct correspondence. As a result, quishing attacks take place in situations in which users subjectively assess the source as “safe”, e.g. in chats with supposed buyers/sellers or via personal messages.

Typical attack scenarios – especially with classified ads

The risk is particularly pronounced in classified ad trading and other peer-to-peer transactions. Several factors come into play here:

• First, a seemingly serious contact is established, for example in a chat on a popular platform.
• The alleged buyer or seller sends a QR code claiming that this is the official payment link, a shipping label or a verification process.
• The victim scans and is taken to a deceptively genuine login page that mimics the login to a payment service, for example.
• After entering access data or confirming a transaction, data is transferred to the perpetrators or payment is unintentionally authorized.

Another special criminal logic can be observed in the context of classified ads: The QR code is used to create a supposed legitimacy (“This is the secure payment page”), although there is no direct connection to the actual platform. This often results not only in financial losses, but also in identity fraud and account takeovers.

Two-factor authentication (2FA): Protection mechanism with limits

Two-factor authentication is often referred to in legal and security advice. 2FA is intended to ensure that access is only possible with two independent proofs, such as a password and an additional code or a push confirmation.

In principle, 2FA reduces the risk that a stolen password is enough to gain unauthorized access to an account. In practice, however, there are two weak points:

1. Social aspect: If the user is prompted to approve the transaction using a fake credential, they are consciously and actively confirming the transaction, albeit under deception. The 2FA mechanism is thus not “circumvented”: It is carried out by the victim themselves.
2. Technical characteristics of 2FA: Phishing tolerance differs depending on the type of second factor:
   • With SMS-TAN or time-based app codes, the generated code can be entered directly into a fake page.
   • Push confirmations in banking apps are particularly tricky: they appear on the legitimate device and are often confirmed without the user fully understanding the consequences.

Only 2FA methods with cryptographic binding to the legitimate domain (e.g. security keys according to the FIDO standard) significantly reduce this risk. However, these are not yet supported by many services across the board.

Prevention strategies: security beyond technical mechanisms

Technical protective measures are important, but not sufficient. Legal advice and cybercrime prevention therefore rely on a combination of technology, awareness and process rules:

• QR codes should always be treated as external links. If possible, the target URL should be checked before opening, e.g. by means of a preview or by using a QR scanner that enables a URL preview.
• When making money transactions, it is a duty of care to only initiate payments via the official sites or apps of the payment service or platform in question.
• Confirming a 2FA request should not be a knee-jerk reaction, but should always be done by checking the specific purpose, the transaction details and the context.
• “Off-platform” links should always be avoided. Reputable providers offer their own protected workflows.
• In public spaces, sticking on manipulated QR codes (so-called “overstickers”) can operate. Indications such as visible overstickers, crooked placement or stickers affixed afterwards are warning signals.

These measures not only have a technical effect, but are also legally relevant. In any liability or reimbursement proceedings, the extent to which the person concerned was able to recognize the typical warning signals or whether they breached their duty of care will be examined.

Legal classification: reimbursement, liability and gross negligence

If an unauthorized payment flow occurs, the legal basis is primarily to be found in payment services and banking law, in particular in Sections 675u et seq. BGB (GERMAN CIVIL CODE). The claim for reimbursement of unauthorized payments is generally based on Section 675u BGB. The refund regulation stipulates that the payment service provider must refund the amount without delay if the payment was not authorized by the payer.

At the same time, Section 675v BGB allows the payment service provider to reduce or refuse liability in the event of gross negligence on the part of the customer. Whether behavior is to be classified as grossly negligent depends on the specific individual case. The sparse case law in this area regularly emphasizes that obvious security breaches or ignoring warnings constitute a grossly negligent breach of duty.

This means for those affected: Even if technical manipulations are present, the question in the event of a dispute is not decided solely on the existence of deception, but on whether the security breach was objectively recognizable and whether the person concerned violated the usual standards of care. Careful documentation of the incident and the person’s own actions is crucial here.

What to do if you are affected?

In the event of an actual or suspected quishing attack, a structured approach is recommended:

1. Stop transaction immediately: Suspend payment transactions, change access data, update relevant passwords.
2. Inform bank/payment service provider: Arrange for accounts and cards to be blocked.
3. Apply for reimbursement and provide legally binding documentation: Timely written declaration to the payment service provider, with evidence if necessary.
4. Press charges: file a criminal complaint with the police for fraud or phishing/quishing; secure evidence.
5. Communication with the platform: Inform providers of classified ads/web services to prevent further damage.

This procedure not only serves to limit damage, but can also be of decisive importance in the context of later legal disputes.

Conclusion

The combination of visual credibility, mobile convenience orientation and lack of URL transparency makes manipulated QR codes and quishing a real threat – especially in contexts where transactions take place between private individuals. Traditional security mechanisms such as two-factor authentication are important, but they are no substitute for critical examination, conscious action and demanding rules of conduct.

In case of doubt, it is advisable to only process transactions via official workflows and not to scan in the event of ambiguities, but to act directly via the app or browser. In an emergency, those affected should act quickly in order to protect legal claims and professionally clarify potential liability issues.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.