The Personal Data Protection Authority’s Announcement Titled “QR Codes and Emerging Risk: ‘Quishing’” Published

On 26.02.2026, the Personal Data Protection Authority (Authority) published an announcement titled “QR Codes and Emerging Risk: Quishing”. The announcement comprehensively addresses the nature of quishing attacks carried out through QR codes, how such attacks can be detected, and the measures individuals should take. It draws attention to the fact that QR codes, which are widely used in daily life, may pose serious risks to the security of personal data if misused.

The key points are summarized below:

• Quishing is a phishing method whereby individuals are redirected to malicious websites through fake or subsequently altered QR codes, persuaded into sharing their personal data, or caused to have malware installed on their devices.
• In particular, dynamic QR codes allow the content they redirect to be changed to a different address without altering their visual structure, which makes this method convenient for attackers.
• Quishing attacks may be carried out through QR codes placed in physical environments (posters, brochures, restaurant tables, etc.) or through QR images transmitted via digital communication channels such as e-mail and text messages.
• QR code shared from unknown senders containing messages that create a sense of urgency or panic, as well as redirections made under pretexts such as account security, delivery issues, or campaigns, may serve as risk indicators.
• Following the scanning of a QR code, requests for authentication credentials or credit card data, inconsistency of the domain name with the relevant institution, or the initiation of unexpected file download operations are among the elements that increase suspicion of an attack.
• The Authority emphasizes the need for heightened vigilance against QR codes that appear to have been subsequently affixed in physical environments, as well as codes transmitted via digital channels by unknown or unexpected senders.
• It is recommended that individuals verify the physical integrity of QR codes, scan only codes from trusted sources, examine the accuracy of the redirected link, keep their device security up to date, and implement enhanced security measures such as multi-factor authentication.