Carding, a form of financial fraud, involves the theft and use of payment card data (number, CVV, expiration date, cardholder name) for unauthorized transactions. Fake QR codes have become a powerful tool in this scheme, disguising malicious links as convenient payment methods, exploiting users' trust in fast payment technologies like the SBP (Faster Payments System) in Russia or similar systems like FedNow in the US. This approach is known as "quishing" (a combination of QR and phishing), and it allows carders to collect data in real time, bypassing traditional security barriers like two-factor authentication or visual URL verification.
Quishing is expected to grow 51% in 2025 compared to 2022, and 26% of all phishing campaigns use QR codes to distribute malicious links. In the first quarter of 2025, over 1 million phishing attacks were recorded, many of which included QR codes in email campaigns. In Russia, fraudsters are actively exploiting the growth of the Fast Payment System (FPS): since 2019, the volume of QR payments has grown tenfold, leading to a new wave of attacks, including code substitution in public places and fake promotions on marketplaces. These methods don't require sophisticated equipment — a QR code generator and basic phishing skills are sufficient — but they are effective due to the human factor: urgency and ease of scanning.
For educational purposes, it's important to understand how these methods are evolving to develop risk awareness. Below, I will discuss key approaches at a high level, without providing technical implementation instructions, based on 2025 trend reports.
Understanding these methods not only helps you protect yourself but also understand the broader cybersecurity ecosystem. In 2025, quishing remains a top threat, but with increasing awareness (like campaigns from Proton Mail and others), the incidence is declining. I recommend studying reports from the APWG or NCSC for current trends.
Quishing is expected to grow 51% in 2025 compared to 2022, and 26% of all phishing campaigns use QR codes to distribute malicious links. In the first quarter of 2025, over 1 million phishing attacks were recorded, many of which included QR codes in email campaigns. In Russia, fraudsters are actively exploiting the growth of the Fast Payment System (FPS): since 2019, the volume of QR payments has grown tenfold, leading to a new wave of attacks, including code substitution in public places and fake promotions on marketplaces. These methods don't require sophisticated equipment — a QR code generator and basic phishing skills are sufficient — but they are effective due to the human factor: urgency and ease of scanning.
For educational purposes, it's important to understand how these methods are evolving to develop risk awareness. Below, I will discuss key approaches at a high level, without providing technical implementation instructions, based on 2025 trend reports.
Basic methods of carding with fake QR codes
I'll expand the previous table by adding sub-methods, examples from 2025, and associated risks. The methods are categorized by attack vector: digital (online), physical (offline), and hybrid.| Category | Method | Description | Case Studies (2025) | Risks and consequences |
|---|---|---|---|---|
| Digital (online) | QR phishing via email/SMS (quishing in newsletters) | Fraudsters send fake notifications about "payment problems," "refunds," or "promotions" with a QR code leading to a fake website. Victims enter their card details for "confirmation," which are then used for test transactions or withdrawals. | In 2025, millions of emails with QR codes from "banks" or "stores" (for example, fake ones from Sberbank or Amazon) led to data theft; in Russia, it resulted in SMS messages about an "SBP error." | Theft of complete card data; immediate charges of up to $1,000–$5,000; data sold on the dark web for $5–$50 per card. |
| Digital (online) | QR codes in unsolicited packages (brushing scams with QR codes) | Carders send unwanted packages with QR codes for "returns" or "bonus activation." Scanning them installs malware or redirects to a phishing site for data entry. | In 2025, growth in the US and Europe will include packages without senders and QR codes leading to malware; in Russia, a combination of fake "returns" from marketplaces. | Installation of malware (keyloggers); theft of not only cards but also access to the device; long-term monitoring of accounts. |
| Digital (online) | QR redirect in P2P payments and instant messaging | Fake QR codes are generated for "quick transfers" on Telegram, WhatsApp, or social media. The victim scans the code for "payment" or "receipt," but enters the data on a fake portal. | Telegram bots for "crypto exchange" or "refunds"; in 2025, carding bootcamps will teach this; in Russia, through the SBP for anonymous transfers. | Fast withdrawals (up to 100% of balance); combo with voice phishing (deepfake calls from the "bank"). |
| Physical (offline) | Physical substitution of QR codes | Fraudsters affix fake QR code stickers to parking meters, ATMs, cafe menus, charging stations, and kiosks. The scanned stickers lead to a fake payment portal. | In 2025: fake QR codes in Los Angeles parking lots (150+ cases), restaurants, and charging stations in Finland; in Russia, at gas stations, cafes, and marketplaces. | Financial losses (from $100 to thousands of dollars); mass data collection in public places; risks through the FPS in Russia. |
| Physical (offline) | QR codes in public announcements or posters | Fake QR codes on street posters, flyers, and even on public transport, masquerading as "payment for services" or "promotions." | In 2025: spoofing in parking lots and restaurants; warnings about "quishing" in the UK and US, where victims lose thousands. | Mass data collection; malware installation; victims often don't notice until they receive charge notifications. |
| Hybrid | Dynamic QR-jacking with AI elements | Legitimate QR codes are intercepted in apps (such as Venmo or banking apps) and replaced with fake ones using malware or AI generation. The victim confirms the "payment" on the fake website. | In 2025: integration with deepfake for verification; growth in mobile banking; in Russia, a combo with fake transaction "cancellations." | Full account takeover; ransomware combo; losses up to millions globally. |
| Hybrid | QR code in combination with voice/social engineering | QR is combined with calls (vishing) or messages where a "bank employee" asks to scan to "cancel a suspicious transaction." | In 2025: AI-based deepfake audio in calls; fake "KYC" (know your customer) QR codes; in Russia, posing as "bank employees." | Data theft + psychological pressure; high conversion (up to 73% of Americans scan without verification). |
How these methods work in the context of carding (high-level overview)
- Preparation: Carders generate a QR code using publicly available tools that links to a spoof website (a copy of a legitimate payment portal, such as PayPal or SBP). The website requests data under the guise of "payment" or "verification."
- Distribution: Via email, SMS, physical spoofing, or social media. In 2025, AI elements will be added: personalized deepfake notifications to increase trust.
- Collection and verification: The victim enters data, which is verified through small test transactions (1–5 USD). Valid cards are used for purchases (goods flipping) or cryptocurrency conversion.
- Monetization and laundering: Money is routed through "mules" (dummy accounts) or crypto exchanges. The cycle is completed within 24–48 hours, before the bank responds. In Russia, the Fast Payment System (SBP) is often used for quick transfers without data entry.
- Evolution in 2025: The rise of AI to create realistic fake websites and deepfake audio; integration with malware to steal geolocation or biometrics. Statistics: 73% of Americans scan QR codes without verification, increasing effectiveness. Globally, losses from quishing reach millions of dollars annually.
Protecting Against These Methods: Educational Recommendations
To minimize risks, focus on prevention and awareness:- Pre-scan check: Always preview the URL after scanning (this is an option on iOS/Android). Manually enter the website address in the browser, if possible.
- Using official tools: Scan only through banking apps. Avoid third-party scanners.
- Avoiding urgency: Don't scan in a hurry (parking, "urgent return"). Check the source: email from an unknown person? An unordered package? Ignore it.
- Technical measures: Enable transaction notifications at your bank; use virtual cards (disposable numbers) for online payments. Install antivirus software with anti-phishing protection (e.g., blocking suspicious URLs).
- For businesses and public spaces: Generate dynamic QR codes (changing each time); monitor for substitutions; inform customers about risks.
- If you become a victim: Immediately block your card via the app or by calling the bank; report it to the police; scan your device for malware.
Understanding these methods not only helps you protect yourself but also understand the broader cybersecurity ecosystem. In 2025, quishing remains a top threat, but with increasing awareness (like campaigns from Proton Mail and others), the incidence is declining. I recommend studying reports from the APWG or NCSC for current trends.