A disturbing new trend in cybercrime emerged this week as security professionals discovered QR codes taped to lampposts in what appears to be a sophisticated psychological manipulation campaign.
The handwritten note, which read “John, I know you are cheating on me,” followed by a QR code and the message “here’s the proof it would be worthwhile for everyone to see,” represents a disturbing advancement in phishing attacks that combines digital threats with real-world social engineering.
This street-level approach to QR code phishing, known as quishing, demonstrates how cybercriminals are adapting their tactics beyond traditional email campaigns to exploit human psychology in public spaces.
.png
)
The incident highlights a growing trend that has seen QR code phishing attacks surge dramatically in recent years.
According to recent data from Action Fraud, QR code scams have increased fourteen-fold over the past five years, with 1,386 reports received in 2024 compared to just 100 in 2019.
Even more concerning, statistics from Hoxhunt reveal that 22% of phishing attacks now use QR codes, with research showing that only 36% of employees can successfully identify and report a simulated QR code phishing attack.
“Quishing is essentially a form of phishing attack that cleverly uses QR codes to trick users into visiting malicious websites,” explains cybersecurity experts.
The lamppost incident represents a particularly insidious variant that exploits powerful emotional triggers, including curiosity, jealousy, and social drama, to compel victims to scan the code.
Katherine Hart from the Chartered Trading Standards Institute warns that “we’ve seen huge amounts lost this way. People have seen their life savings gone and that money is going to finance criminals”.
The rise of organized crime involvement in quishing operations has created what experts describe as a “hierarchy of criminals,” with some code placers potentially unaware of the broader implications of their actions.
The psychological manipulation techniques employed in this street-level attack mirror those used in digital campaigns. Research indicates that “phishing attacks using QR codes often employ tactics that manipulate the emotions of potential victims. Attackers create a sense of urgency, excitement, or curiosity to encourage individuals to scan the malicious QR code without hesitation”.
Its ability to bypass traditional cybersecurity defenses makes this particular attack vector especially dangerous. Unlike email-based quishing attacks, which can potentially be filtered by security systems, physical QR codes placed in public spaces operate entirely outside digital security perimeters.
Recent trends show that quishing attacks have risen 25% year-over-year in 2025, accounting for one in every eight credential-harvest campaigns. The shift from primarily email-based attacks to physical placement represents a concerning evolution in threat actor methodology.
Security professionals emphasize that this incident should serve as a wake-up call for public awareness campaigns. One cybersecurity expert noted, “cybersecurity awareness isn’t just for the inbox anymore.” The integration of real-world placement with digital threats requires a fundamental shift in how individuals approach QR code security.
The lamppost incident underscores the critical need for enhanced public education about QR code risks and the importance of verifying sources before scanning any code, regardless of its apparent legitimacy or emotional appeal.
As quishing attacks become increasingly sophisticated and move beyond digital boundaries, vigilance in all environments has become essential for personal cybersecurity.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
