Quishing: How QR-Code Payment Scams Redirect Money to the Wrong IBAN

Quishing is QR-code phishing: the practice of hiding a malicious link or a fraudulent payment instruction inside a QR code so that the victim, who cannot read the encoded data with the naked eye, scans it and is taken straight to a scam page or a pre-filled payment to the attacker's account. In June 2026, Google's fraud and scams advisory named QR-code scams as one of the fastest-growing consumer threats of the year. For anyone who pays an invoice, a parking meter, or a payment request by scanning a code, the risk is concrete: the IBAN your banking app pre-fills may not be the one you think you are paying. This guide explains how payment quishing works, why it slips past normal scrutiny, and how to verify a code before you confirm the transfer.

What Is Quishing and Why Did It Surge in 2026?

Quishing is a contraction of QR and phishing. Instead of a clickable link in an email or SMS, the attacker delivers a QR code. The destination is opaque until the moment of scanning, and most smartphones open it with a single tap. That combination, opacity plus frictionless scanning, is exactly why the technique works: the habits people use to scrutinise a suspicious URL never get a chance to engage.

The vector grew through 2025 and accelerated in 2026 as QR codes became a normal way to pay. Industry phishing reports now attribute a meaningful and rising share of all phishing to QR codes, and government agencies including the FBI and the US Postal Inspection Service have issued standing warnings about fraudulent codes placed on parking meters, restaurant tables, shipping notices, and fake official notices. Google's June 2026 advisory placed QR-code scams alongside AI voice cloning and deepfakes as a defining fraud trend of the year.

How Does a QR Code Send Money to the Wrong IBAN?

In Europe, the payment-specific form of quishing exploits the EPC QR code (also called a GiroCode). The EPC069-12 standard, defined by the European Payments Council, encodes a complete SEPA Credit Transfer inside the code: the beneficiary name, the IBAN, the BIC, an amount, and a payment reference. When a banking app scans a valid EPC QR, it pre-fills the entire transfer form so the payer only has to confirm.

That convenience is the attack surface. A malicious EPC QR simply encodes the attacker's IBAN and name in place of the legitimate beneficiary. The most common delivery methods:

• Sticker overlay: A fraudulent QR sticker is placed over the genuine code on a parking meter, an EV charger, a restaurant bill, or a charity collection poster. Everything else looks normal.
• Fake invoice or payment request: An attacker who has compromised an email thread sends an invoice with a QR code that says "scan to pay." The visible invoice may even show the correct IBAN in text, while the QR encodes a different one.
• Bogus official notice: A letter, email, or parcel insert imitating a tax office, court, or utility tells the recipient to scan a code to settle a small fee or fine quickly.

Because the banking app trusts the encoded data, the payer sees a plausible amount and a plausible reference and confirms. The funds move to the attacker's IBAN. This is the same outcome as classic IBAN spoofing, but the substitution happens inside a code the victim never reads.

Why Doesn't the Bank Catch a Malicious Payment QR?

A QR code is not signed or certified. There is no central authority that vouches for what a payment code contains, and a banking app cannot tell a genuine EPC QR from a fraudulent one because both are structurally identical. The attacker's IBAN is a real, structurally valid IBAN: it passes the MOD-97 check, belongs to a real country, and routes to a real account, one the attacker controls.

Two newer controls help, but neither is a complete shield. Since 9 October 2025, the EU Instant Payments Regulation requires euro-area banks to offer Verification of Payee (VoP), an IBAN-to-name match performed before the transfer is authorised. If the name you expect does not match the account behind the IBAN, you get a "no match" warning. VoP is a strong defence against a swapped IBAN, but only when the payer actually reads the name field and the warning, and it covers euro credit transfers rather than every payment type.

How Do I Verify a Payment QR Code Before I Pay?

Treat a scanned payment the way you would treat a bank-detail change request from a supplier: confirm it out of band before money moves. Practical checks:

1. Read the pre-filled fields, do not just tap confirm. After scanning, your app shows the beneficiary name, IBAN, amount, and reference. Check that the name and IBAN match the party you intend to pay. A mismatched or unfamiliar beneficiary name is the single clearest warning sign.
2. Validate the IBAN the code pre-filled. Paste it into the ibanchecker.cash IBAN checker to confirm the country and the bank behind it. If the code claims to pay a German supplier but the IBAN resolves to a bank in another country, stop.
3. Inspect the physical code. A sticker placed over another code, a code that looks freshly printed on an otherwise worn sign, or a code taped onto a poster are all red flags. Many parking and charging operators have stopped using on-device QR codes for exactly this reason.
4. Never scan a code from an unexpected letter, parcel, or email that pressures you to pay a fee or fine quickly. Go to the organisation's official website or app and pay there instead.
5. Heed the Verification of Payee result. If your bank returns "no match" or "close match," do not override it without confirming the beneficiary through a trusted channel.

How Can Businesses Issue QR Codes Customers Can Trust?

Quishing erodes trust in every payment QR, including the legitimate ones businesses rely on. If you put a code on an invoice or a payment request, you can reduce the room for a swap by making your authentic code easy to reproduce and verify:

• Generate the code from your real payment data yourself. Use the IBAN QR Code generator to build an EPC payment QR (GiroCode) from your own IBAN, beneficiary name, amount, and reference. Every code it produces is built from data you control and passes our live validator before it is shown.
• Always print the IBAN and beneficiary name in plain text next to the code. A customer who can compare the scanned beneficiary against the printed one has a built-in cross-check. The EPC beneficiary field must be the account holder, never the bank.
• Distribute codes through tamper-evident channels. A QR embedded in a digitally issued PDF invoice is harder to overlay than a printed sticker in a public place.
• Validate supplier IBANs in bulk before payment runs. Run your payee master through the bulk IBAN checker so a changed or unexpected bank surfaces before any transfer, whether the detail arrived by QR, PDF, or email.

Quishing Is Social Engineering, Not a Technical Flaw

The QR format itself is not broken. The exposure comes from a single human habit: scanning a code and confirming a payment without reading what the code actually contained. A QR code is only as trustworthy as its source, and a pre-filled IBAN deserves the same scrutiny as one typed by hand. Validation, name-matching, and a moment of attention at the confirmation screen are what turn an opaque code back into a payment you can trust.

Verify Any IBAN with ibanchecker.cash

Before you confirm a payment a QR code pre-filled, paste the IBAN into the ibanchecker.cash IBAN checker to confirm the country and bank behind it. To issue payment codes your own customers can rely on, build them with the IBAN QR Code generator, which encodes EPC payment data from an IBAN you have already validated. All validation runs in memory and no IBAN data is retained.

Sources & References

• Google Safety: June 2026 fraud and scams advisory, naming QR-code scams as a leading trend
• European Payments Council: EPC QR code (EPC069-12) standard for SEPA Credit Transfer data
• European Payments Council: Verification of Payee scheme rulebook
• FBI IC3: Public service announcement on malicious QR codes in payment fraud
• US Postal Inspection Service: Quishing consumer warning
• ENISA: Threat Landscape, phishing and QR-code abuse trends

Last updated: June 2026