QR codes are widely used in many areas of daily life, ranging from restaurant menus to payment systems, from campaign participation to website redirections. Their ability to provide rapid access through mobile devices has significantly increased the frequency of QR code technology usage.
However, this practical convenience also brings new risks in terms of cybersecurity and personal data protection. The recent increase in “quishing” attacks has drawn attention as a specific type of phishing activity carried out through QR codes.
With its public announcement dated 26 February 2026, the Turkish Data Protection Authority (“Authority”), warned the public against the rising number of “quishing” attacks.
- What is Quishing?
Quishing (QR + phishing) is a cyber-attack method aimed at directing users to malicious websites by inducing them to scan fraudulent QR codes encountered in physical or digital environments, thereby obtaining their personal data, financial information, or authentication credentials.
Such attacks are typically carried out through:
- Fake payment pages,
- Interfaces imitating banks or e-government platforms,
- Websites promising campaigns or rewards,
- Links for downloading malicious software.
- How Are Quishing Attacks Carried Out?
Quishing attacks may be orchestrated in both physical and digital environments:
In Physical Environments:
- Placing fraudulent QR code stickers over legitimate QR codes in restaurants, cafés, or public areas,
- Including fake QR codes on materials resembling cargo documents, invoices, or official correspondence,
- Using deceptive codes in parking payment areas or public transportation stops.
In Digital Environments:
- QR code images sent via email or SMS,
- Campaign codes shared through social media or messaging applications,
- Fake announcements creating the impression of corporate communication.
Since users are directly redirected to the linked webpage upon scanning a QR code, the typical suspicious URL checks seen in conventional phishing attacks are often bypassed.
- Legal and Data Protection Aspects
Quishing attacks may result in:
- Unlawful acquisition of personal data,
- Fraudulent acts concerning banking and payment systems,
- Identity theft,
- Violations of data security obligations of institutions.
Pursuant to the Personal Data Protection Law No. 6698 (“PDPL”), data controllers are obliged to take all necessary technical and administrative measures to prevent unlawful processing of and access to personal data. Where institutions utilize QR code-based systems, ensuring the security of such infrastructure and properly informing users is of critical importance.
- How Can Quishing Attacks Be Identified?
The following may constitute indicators of suspicion:
- The QR code appears to have been affixed or added later,
- The redirected website’s domain name does not exactly match the official name of the institution/company,
- Absence of an HTTPS certificate,
- Messages creating a sense of urgency (“Make payment immediately”, “Your account will be suspended”, etc.),
- Requests for unnecessary or unusual personal data.
- Protective Measures for Individuals
- Avoid scanning QR codes from unknown or unverified sources.
- In physical environments, check whether the QR code appears to have been subsequently attached.
- Carefully examine the domain name of the website opened after scanning the QR code.
- Use up-to-date security software on mobile devices.
- Conduct banking and other critical transactions directly through official applications whenever possible.
- In suspicious situations, contact the relevant institution directly.
Conclusion
Although QR code technology provides convenience and speed, quishing attacks pose serious cybersecurity and data protection risks for both individuals and institutions. Therefore, it is of great importance to raise user awareness and to strengthen technical and administrative security measures within institutions.
The public announcement issued by the Authority and the guideline titled “The Risk Associated with QR Codes: Quishing” can be accessed via the following link:
The Risk Associated with QR Codes: Quishing | Turkish Data Protection Authority
For detailed information and professional support during the compliance process, feel free to contact us.
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.
