Subscribe
Share
Share
Embed
QR codes make events smoother—but they’re also a growing attack surface. In this Convene Talk, we unpack quishing (malicious QR code scams), from a live “honey pot” demo at a cybersecurity summit to everyday tricks that exploit attendee trust. We share easy fixes planners can deploy now—like printing the full destination URL next to every QR code—plus the FTC’s top tips, verification habits that actually stick, and how to keep QR convenience without sacrificing safety.
Links:
· Even scam experts fall for ‘quishing’ trap at global anti-fraud event in Singapore: https://theindependent.sg/even-scam-experts-fall-for-quishing-trap-at-global-anti-fraud-event-in-singapore/
· Convene Series: Talking Cybersecurity with Olga Nasibullina and Michael Peters: Strategies for Protecting Event Data from Emerging Threats: https://share.transistor.fm/s/2c1d2164
· Scam alert: QR code on an unexpected package: https://consumer.ftc.gov/consumer-alerts/2025/01/scam-alert-qr-code-unexpected-package
Get News Junkie: https://www.pcma.org/campaign/news-junkie/
Meet the Convene Editors: https://www.pcma.org/contact/
· Michelle Russell, Editor in Chief
· Barbara Palmer, Deputy Editor
· Jennifer N. Dienst, Senior Editor
· Kate Mulcrone, Managing Digital Editor
· Magdalina Atanassova, Digital Media Editor
Follow Convene:
Instagram: https://www.instagram.com/pcmaconvene/
YouTube: https://youtube.com/@pcmaconvene
Contact Information: For any questions, reach out to Magdalina Atanassova, matanassova(at)pcma(dot)org.
Sponsorships and Partnerships: Reach 36,000 qualified meeting organizers with Convene, the multi-award-winning magazine for the business events industry. Contact our sales team: https://www.pcma.org/advertise-sponsorship/
Music: Inspirational Cinematic Piano with Orchestra
Creators and Guests
What is PCMA Convene Podcast?
Since 1986, Convene has been delivering award-winning content that helps event professionals plan and execute innovative and successful events. Join the Convene editors as we dive into the latest topics of interest to — and some flying under the radar of — the business events community.
Convene Talk, ep. 81/October 3, 2025
*Note: the transcript is AI generated, excuse typos and inaccuracies
Magdalina Atanassova: This is the Convene Podcast. Welcome to another Convene Talk. Kate, take it away.
Kate Mulcrone: Today we are going to talk about quishing.
What is quishing?
Quishing is leveraging malicious QR codes to capture data.
And even though QR codes have been around forever,
this scam is relatively new.
The first week of September,
the Global Anti Scam alliance had their annual meeting in Singapore.
And at this meeting,
more than 50 attendees, all of whom are cybersecurity experts,
scanned a QR code through that was supposed to let them skip a long line at the event,
but it was actually a honey pot that was set up by the organizers of the summit to raise awareness about quishing attacks.
And again, it's just putting up a QR code on what looks like official event signage and instead the attendee scans it and they go somewhere they did not intend.
I thought that this was a really brilliant way for the organizers to get everyone's attention.
And according to the cybersecurity company NordVPN,
73% of Americans scan QR codes without verification.
And as a result,
more than 26 million have already been directed to a malicious site by doing that.
Before we talk about how you can avoid this and why, I personally think it's a great idea to use QR codes.
I just want to share the highlights of an FTC scam alert about quishing from from earlier this year and we'll include the link for this in the show. Notes.
So here's what it says.
An unexpected package from an unknown sender arrives in your name. You open it and find a note that says it's a gift, but it doesn't say who sent it.
The note also says to scan a QR code to find out who sent it or to get instructions on how to return it.
Did someone really send you a gift or is it an attempt to steal your personal information?
If you know it's really a gift, you can keep it. But know that the unexpected package could be a new twist on a brushing scam that could steal your personal information.
If you scan the QR code, it could take you to a phishing website that steals your personal information,
like credit card numbers or usernames and passwords. It could also download malware onto your phone and give hackers access to your device.
And so what we're seeing is an event specific version of this well known scam.
And the twist is that instead of receiving a gift,
you're just at your favorite local convention center and you see what looks like completely legit signage and Then you end up somewhere that you didn't want to go.
So I feel like this is,
yes, we want to raise awareness,
but I am really curious what other people think about,
does this in any way hurt QR codes? Or is it just something that we should all be more aware of? Barbara?
Barbara Palmer: Well,
I mean, just since reading this story,
it's definitely changed how I look at QR codes out in the world.
So this is what I was thinking about is just how the QR codes and all of these scams,
they are dependent on trust.
I wondered what the scammed felt like at this conference,
because I feel like if you go into a conference,
you think that the conference is looking out for this.
Like, I would feel much more comfort scanning it inside an event.
I would think that all the QR codes that are there,
so it really reveals that you just can't do that.
I feel like just that that ability to exploit your trust is really at the heart of all scams that are related to cybersecurity.
You know, it pretends like you have a relationship or here's information that you want.
So it kind of, it's this double whammy of trust and desire.
Like, yeah, I want to skip the line.
So, Maggie, I know that. I know that you have like some expertise in this from podcasts that you've done.
Magdalina Atanassova: Yeah. But before that, I wanted to share a personal story just that relates to what you were saying. Yeah. The first time, actually that I heard about those phishing attacks was during a training that we had at PCMA, which is amazing because since watching those videos, I'm very vigilant about it because they show the case where many of us have seen those restaurant QR codes.
Or you can order on your phone.
And apparently some attackers also attach a fraudulent QR code on top of those menu stickers that you have in the restaurant itself.
So now every time when I go into a restaurant,
I do prefer to just order the old fashioned way.
Or if I don't have the choice and I really need to use a QR code,
I actually rub it with my hand to see if there's something extra on top of it. You know, if there is a sticker on top of the real QR code because usually they're laminated.
Right. So just see if there's anything that's been done to this QR code. And that may be a bit, you know, being way too cautious, but I'd rather be way too cautious because,
you know, the other end of this story is not nice. You don't want to end up there.
I do agree with you that being in an environment such as an event, you want to be you. You want to have that trust in everything that surrounds you.
But it seems that especially cyber security conferences and such where they discuss such ways of manipulating data people and extracting, you know, very personal information, they do that on purpose to showcase how vulnerable we all are, not only at this conference.
I have a friend who's in the field and she went to a conference where there were some,
I don't know, some.
A drone at the back of the room,
which all the participants. So it would be a part of the discussion. But apparently this thing recorded a lot of information on all the participants. And they said, you know, none of you question the drone being positioned there, right?
Just because you automatically assumed it's for good purposes. But we could have recorded. And again, like in this case, nothing bad was done with the data of the participants, but they just want to exploit an area where, you know, people need to be a bit more cautious and question.
Just nobody even asked the question, what is it for?
Why is it there?
How are you going to use it?
Barbara, I think especially you have explored this in many articles, the topic of trust in conferences and in associations, in life events in general. So I hope we're not going to lose that trust just because of such cases.
Barbara Palmer: Well, you know, I feel like in the case of our email,
like there's so many more phishing scams, right.
And I was just thinking about what we're losing.
I know that in my,
in my heightened awareness that,
like the risk to reward changes.
I feel like it has already changed how I think about my inbox.
And I do feel like these scammers are outpacing the ability of internal systems to flag them. I know that we've got great IT support and really could not be better,
but these things still slip through because they're doing new things all the time. I think that article, Kate, that you've sent us,
just the magnitude of the scam operations and how they're constantly evolving.
I am very eager to see what you guys have to say.
Magdalina Atanassova: So you mentioned the previous podcast that I did last year in a previous season,
and we did a whole episode on cybersecurity with a couple of experts together with Michelle.
And the. The one thing that they said is really the most important factor was the human factor. And they couldn't. Both of these experts now link to the episode in the show notes.
Both of these experts said that that's it. It starts with the person and the verification. Everyone does.
So on that podcast we had Michael Peters from rims,
and he gave some great examples.
And one of the examples that he gave was how they were under a ransomware attack because there was an employee who clicked 19 times on the attachment.
19 times. So she didn't like. She kept on clicking on that very suspicious email. And,
you know, they ended up closing their company for a little bit, just for six hours. They actually stopped operations just trying to fix that and, you know, get to the bottom of it and of course not pay the ransom.
And it's a very tough situation because you really can do a lot of damage to the organization. So they both, him and Olga,
who is a cybersecurity expert, they both highlighted the fact that you really need to stop and think twice before clicking on links.
And if you're unsure, always check with somebody that can, you know, verify. And I've had this case with past guests on the podcast who sent me an email, but probably he was on the move and he sent it, I guess from his phone, but it looked extremely suspicious.
And there was an attachment and I did not click on the attachment. I made a screenshot,
referred back to an old email that I have from him, send a screenshot, and said, is this really coming from you? Because it looks very, very suspicious. And I'm not clicking on anything in that email.
I actually deleted it. So if you want to send it again,
just verify it's you. And he verified it was him. So everything was good. But I was so freaked out that somebody has, you know, hacked his email. So I want to also warn him that if his email is hacked, so they can double check.
But everything at the end proved to be okay and it was good. But I was very taken back by those examples, especially from rims and the fact that if you're a little bit more diligent, you can really prevent something serious from happening.
And Olga, she said the same thing. Just take a few seconds,
think through it,
and make sure just to hover over with your mouse, see where the link goes,
double check the sender if there's anything suspicious, just like flag it, don't open.
So I think it really starts there.
Kate Mulcrone: Yeah. And that dovetails really well with the FTC's official advice.
And they have three tips. One, inspect the URL before you click anything.
Two, keep your phone software up to date.
And three,
use multi factor authentication whenever you can.
And as far as the first tip goes,
this is where I think we can really get ahead of this.
When you put the QR code on your sign,
just add the URL right next to it so that when people click it,
they can just look and say, oh, yep, this is exactly where I wanted to go.
And just that little extra step,
I feel like is,
I mean, I, I wouldn't say this easily, but I feel like that should prevent 99% of problems with using QR codes at events.
Barbara Palmer: I agree.
I was just thinking about what you could do in your email because we, everybody does.
I reach out to people that don't know me.
Like how?
Yeah, I don't know. I'm just thinking about how,
how,
how when you're communicating with other people, how you could,
what you could do to like, you know,
assure that you're secure.
Magdalina Atanassova: I believe that now Outlook and all similar email clients flag outside senders that they're unsure of.
And even in our emails we have, you can trust, like add the email to a trust list or not.
So I think that's one way for the technology to do it. But then again,
just staying vigilant and there's really nothing more I think technology wise that you can do, especially now with AI and all the deep fakes that are entering the scene and making things so very complicated.
And there's fake video calls and it's hard.
And we discussed a similar case on that podcast and there was an example.
So Olga Nasibullina, she gave two examples of such fake, deep fake calls.
And the one person fell for it just because the person rushed.
So he or she put the situation, you know, the company in a very bad situation,
while in the other case,
the person actually asked very fine questions, very simple, very fine questions, and called the scammer.
So sometimes really it comes down to you're unsure, you're in a situation where it can go either way. So just ask something that you can verify. It's, it's the person that you know on the other side,
especially when it comes to,
you know, in the one case that she gave, it was the director manager relationship.
So, you know, the manager was like, okay, that's my boss. I'll just do whatever you tell me. Just because you're my, you know, it seems like my boss is telling me.
And the other case, the person double checked if that's really their boss and, you know, somebody that's higher up.
Barbara Palmer: Yeah,
yeah.
I mean, I think I just keep thinking about all the aggregated time that now people are spending to like, check. I will say that some of them are pretty easy to spot.
Like many of these scams are not mastermind scams.
Magdalina Atanassova: The prince of.
Barbara Palmer: Right.
Magdalina Atanassova: Yeah.
Barbara Palmer: But I, you know, I do think that QR codes have resurged,
so it's really not surprising that they are a.
Now that they're a tool that scammers are using.
But I do like to order the old fashioned way.
Magdalina Atanassova: It's safer.
Barbara Palmer: Yeah. And it's just, it's just a burden on. Because I'm thinking about like,
you know, small businesses or small restaurants,
they might like put a extra sticker over the old ur.
The old code, that QR code that stopped working.
So I guess just slow down. Is a good, is a, is good advice people trust but verify.
Yes. I tend to get into like a.
Magdalina Atanassova: No, no, no, no, no.
Barbara Palmer: I gotta get this. No, no, look at all these emails.
Magdalina Atanassova: So.
Barbara Palmer: But slow down. Take, take a beat.
Magdalina Atanassova: Yeah, for sure. And it really comes down to us and not, not Russian like you're saying, I think is the best advice we can give to people.
And again,
I'll link back to that podcast where Michael is giving a lot of advice to planners on how to reverse hack his vendor systems and make sure that everything's working. Again, that's not for us lay people that,
you know, just fall for QR code scams and such.
So he has a lot of advice for people who are professional and can take care of these big systems for us.
Staying with vigilant,
slowing down,
hovering over a lot of things and not using QR codes when we can.
I think it's the best advice we can give.
Anything else, Kate, you were thinking of?
Kate Mulcrone: No,
I think this was a great discussion.
I think we all agree that QR codes are useful and planners just need to do a little bit extra to make sure attendees feel safe.
Barbara Palmer: Barbara?
No, no, I,
I'm just sitting here thinking about whether it would be,
you know, like, I'm just thinking about how like in an event,
how hard or not hard it would be to go onto a trade show and,
and do that. I feel like it would be,
I feel like it would be hard because there are a lot of, you know, it's pretty well controlled when people are setting up and there's a lot of eyes there.
So anyway,
that's what I was musing on.
Magdalina Atanassova: Same thing with me. I was thinking I'm putting so many QR codes on social media for us for our content,
but it's on social media. And then I'm like, sometimes just because it's easier to scan it when you have it on your screen rather than.
Kate Mulcrone: You know, it's it's just about not having to type. And if they don't have to type anyway, you might as well just put the link.
Barbara Palmer: Exactly,
exactly. And I'm going to start looking for that.
Looking for examples where people have. Because when I use that URL, I had to ask them for it and they had written it on the back of the.
Kate Mulcrone: Definitely. They should have, like, had that ready, though.
I feel like you're right to ask. If they don't know where the QR code goes,
then they should be covering that up with a sticker.
Barbara Palmer: Exactly.
Yeah.
Well,
I. I really hate to see this because.
Because QR codes now do make a lot of sense.
I think when they came out,
they were kind of like a solution looking for a problem.
And now they are definitely useful.
Yeah. So anyway, it's a great thing to bring to people's awareness. Kate. Thanks.
Magdalina Atanassova: And also, when you're in a foreign city, I just started noticing this here quite a bit. There's so many random QR codes around just being stuck on, I don't know,
light poles and such,
and there's no explanation what it is. It's like just a QR code.
Who does that? And I'm like, I will never check where this goes.
So. But I don't know if. For those that are curious at heart, just don't scan that. You don't want to know.
Barbara Palmer: That's the kind of thing that would tempt me sorely,
Maggie, if I was, like, walking down the street and saw just a random. I mean, I wouldn't click on it,
but I would just be like, what is it?
Magdalina Atanassova: Yeah, I also have questions, but I also know not to go there.
Kate Mulcrone: Right.
Barbara Palmer: But if, you know, if I, if I were, you know, if I were younger and didn't know about the consequences, I would for sure be clicking.
Magdalina Atanassova: Yeah, I hope nobody falls down that rabbit hole.
I think we may have brought more questions and answers to people's ears, but it is what it is. We also gave a couple of solutions. Slow down, think twice.
Barbara Palmer: Good advice.
Magdalina Atanassova: Well, thank you, Kate, for bringing this up. It was a good discussion as usual.
Thank you.
Remember to subscribe to the Convene Podcast on your favorite listening platform to stay updated with our latest episodes. For further industry insights from the Convene team, head over to PCMA.org/convene. My name is Maggie. Stay inspired. Keep inspiring. And until next time.