facebook-pixel
L
Lunyb

QR Code Phishing Scams: How to Stay Safe in 2026

L
Lunyb Security Team
··9 min read

QR codes are everywhere — on restaurant menus, parking meters, packaging, posters, emails, and even utility bills. They're fast, convenient, and contactless. But that same convenience has made them one of the fastest-growing tools for cybercriminals. QR code phishing scams, often called quishing, surged more than 400% between 2023 and 2025, according to multiple cybersecurity reports, and they continue to fool even tech-savvy users in 2026.

This guide explains exactly how QR code phishing works, the most common scams circulating today, the red flags to watch for, and the practical steps you can take to stay safe — whether you're an everyday smartphone user or someone responsible for a business.

What Is a QR Code Phishing Scam?

A QR code phishing scam (quishing) is a social engineering attack in which a cybercriminal embeds a malicious link inside a QR code to trick victims into visiting a fake website, downloading malware, or handing over sensitive information such as passwords, banking credentials, or two-factor authentication codes.

Unlike traditional phishing emails, QR codes hide the destination URL behind an image. You can't hover over a QR code to preview where it leads, and most email security filters historically scan text and links — not images. That blind spot is exactly why attackers love them.

Why QR Code Phishing Works So Well

  • Visual trust: QR codes look harmless and official.
  • Hidden destinations: You can't see the URL until after you scan.
  • Mobile bypass: Scans happen on phones, which often lack the corporate security tools desktops have.
  • Urgency: Many scams pair QR codes with messages like "Your account will be closed" or "Verify your payment now."
  • Email filter evasion: Image-based codes slip past many spam and phishing detectors.

How QR Code Phishing Attacks Work: A Step-by-Step Breakdown

Most quishing campaigns follow a predictable pattern. Understanding the chain helps you spot an attack early.

  1. Bait creation: The attacker designs a convincing email, flyer, sticker, or PDF that includes a QR code.
  2. Distribution: The bait is sent via email, posted in public, mailed physically, or even pasted over legitimate codes in restaurants or parking lots.
  3. Scan: The victim scans the QR code with their smartphone.
  4. Redirection: The code opens a phishing site that mimics a trusted brand — Microsoft 365, a bank, DHL, the IRS, or a parking authority.
  5. Credential or payment harvest: The victim enters login details, card numbers, or downloads a malicious app.
  6. Exploitation: The attacker uses the stolen data for account takeover, fraud, or to launch further attacks inside an organization.

The Most Common QR Code Phishing Scams in 2026

Quishing has evolved well beyond "scan this menu." Below are the dominant scams security teams are tracking this year.

1. Fake Microsoft 365 / Google Workspace Login Prompts

An employee receives a PDF or email claiming their MFA needs to be re-enrolled. The QR code leads to a near-perfect Microsoft login clone that steals both the password and the 2FA code in real time.

2. Parking Meter and EV Charger Stickers

Scammers print fake QR stickers and paste them over real ones on parking meters, EV chargers, and bike rentals. Victims "pay" through a fraudulent payment page.

3. Restaurant Menu Tampering

A malicious sticker is placed over a legitimate menu QR code, redirecting diners to a fake Wi-Fi login or "loyalty signup" that harvests personal data.

4. Package Delivery Notices

Physical postcards or door hangers claim you missed a delivery. The QR code leads to a fake DHL, FedEx, or USPS page demanding a small "redelivery fee" — and your card details.

5. Cryptocurrency Wallet Drainers

Posted in forums or sent via DM, these QR codes connect your wallet to a malicious smart contract that drains your tokens once approved.

6. Bank and Tax Authority Impersonation

Official-looking letters arrive on what appears to be government letterhead. The QR code points to a page demanding identity verification — perfect for identity theft.

Real-World Examples and Statistics

Recent industry data paints a sobering picture of how widespread quishing has become.

Statistic Figure (2024–2026) Source Type
Increase in QR phishing attacks YoY+400% to +600%Email security vendors
Share of phishing emails containing QR codes~22%Threat intel reports
Average cost of a successful business quishing breach$4.5M+IBM Cost of a Breach
Percentage of users who scan unknown QR codes~36%Consumer surveys
QR phishing emails bypassing standard filtersOver 60%Secure email gateways

Warning Signs of a Malicious QR Code

You can't read a QR code with your eyes, but you can read the context around it. Watch for these red flags before you scan.

  • Stickers over stickers: A QR code sticker placed on top of another one is a classic tampering sign.
  • Unsolicited emails or letters asking you to scan to "verify," "reactivate," or "avoid suspension."
  • Urgency or threats: "Scan within 24 hours or your account will be closed."
  • Codes in PDFs or images rather than clickable links — a common email-filter evasion tactic.
  • Generic greetings like "Dear Customer" instead of your name.
  • Misspelled brand names or off-brand colors on the surrounding poster or email.
  • Requests for login credentials, payment info, or MFA codes after scanning.

How to Stay Safe: 10 Practical Steps

Protecting yourself doesn't require special software — just disciplined habits. Here's a checklist that works in 2026.

  1. Preview the URL before opening. iOS and Android both show the destination URL after scanning. Read it carefully before tapping.
  2. Look for HTTPS and the correct domain. "microsft-login.com" is not Microsoft. Watch for hyphens, extra words, and odd top-level domains.
  3. Never enter credentials from a scanned link. Open the app or type the official URL manually instead.
  4. Inspect physical QR codes for stickers placed over the original.
  5. Don't scan codes from unsolicited emails, texts, or letters.
  6. Disable automatic URL opening in your QR scanner settings.
  7. Use a reputable mobile security app that scans links in real time.
  8. Keep your phone updated — OS patches frequently close browser exploits used after a quishing click.
  9. Enable phishing-resistant MFA like passkeys or hardware keys, which can't be replayed even if you're tricked.
  10. Report suspicious codes to your IT team, the venue manager, or the impersonated brand.

How Businesses Can Defend Against Quishing

For organizations, QR phishing has become a board-level concern. A layered defense is essential.

Technical Controls

  • Deploy email security that performs OCR on images and inspects embedded QR codes.
  • Enforce passkeys or FIDO2 hardware tokens instead of SMS or app-based 2FA.
  • Use mobile device management (MDM) to restrict risky app installs.
  • Implement DNS filtering on corporate networks and VPNs to block known phishing domains.
  • Monitor for newly registered look-alike domains that mimic your brand.

People and Process

  • Train employees with simulated QR phishing exercises — not just email phishing.
  • Create a one-tap "Report Phish" workflow for mobile.
  • Establish a policy that QR codes should never be the only way to access internal resources.
  • Audit your own marketing QR codes regularly to ensure they haven't been hijacked or redirected.

Choosing a Trustworthy Link and QR Code Provider

If your business generates QR codes for menus, marketing campaigns, or payments, the platform you use matters. A reputable provider gives you control, analytics, and the ability to deactivate or change a destination if a code is compromised — without reprinting the code.

Services like Lunyb provide secure short links and dynamic QR codes with click analytics, link expiration, and password protection — useful features both for legitimate marketing and for limiting the damage if something goes wrong. If you're evaluating options, our 2026 buyer's guide to the best URL shorteners compares the leading platforms side by side, and our honest review of Lunyb walks through its security features in detail. For enterprise teams, our Rebrandly review for 2026 is also worth a look.

What to Do If You've Already Scanned a Malicious QR Code

If you suspect you've fallen for a quishing attack, act quickly. Speed limits the damage.

  1. Disconnect from the internet if you downloaded anything suspicious.
  2. Change passwords for any account you entered credentials into — and any account sharing the same password.
  3. Revoke active sessions in your account security settings (Microsoft, Google, banks all support this).
  4. Enable or rotate MFA, and switch to passkeys if available.
  5. Contact your bank if you entered card or banking details. Request a card replacement.
  6. Run a mobile malware scan using a reputable security app.
  7. Report the incident — to your employer's IT team, the impersonated brand, and local cybercrime authorities (FTC, Action Fraud, IC3, etc.).
  8. Monitor your credit and consider a credit freeze if identity data was exposed.

Pros and Cons of QR Codes in Daily Life

QR codes aren't going away. They're genuinely useful — but worth using with eyes open.

Pros

  • Fast, contactless access to information and payments
  • Great for marketing, ticketing, and authentication
  • Work without an app on modern smartphones
  • Can be dynamic (changeable destination) with the right platform

Cons

  • Destination is invisible until scanned
  • Easy to tamper with physically
  • Bypass many traditional email security tools
  • Mobile context reduces user vigilance

Frequently Asked Questions

Can simply scanning a QR code infect my phone?

Scanning alone usually just decodes a URL — it doesn't execute code. The real risk begins when you tap the link, enter credentials, or download an app. That said, some advanced attacks use browser exploits, so always keep your phone's OS and browser updated.

How can I tell if a QR code is safe before I scan it?

You can't fully verify a QR code in advance, but you can reduce risk: only scan codes from trusted, untampered sources; preview the URL after scanning; and never enter sensitive information on a page reached via QR. When in doubt, type the official URL into your browser instead.

Are QR codes in emails always dangerous?

Not always, but they should be treated with extra suspicion. Legitimate companies rarely require you to scan a QR code from an email to log in or verify an account. If an email asks you to scan to access something urgent, assume it's phishing until proven otherwise.

What's the difference between quishing and regular phishing?

Quishing is a subset of phishing that uses QR codes as the delivery mechanism instead of clickable links. The end goal is the same — stealing credentials, money, or installing malware — but QR codes hide the destination URL and often bypass email security tools that scan text-based links.

Should businesses stop using QR codes for marketing?

No — QR codes remain effective when implemented correctly. The key is using a reputable dynamic QR platform that lets you monitor scans, change destinations if compromised, and detect tampering. Pair that with customer education and clear branding around your codes.

Final Thoughts

QR code phishing isn't a passing trend. As long as QR codes are convenient and their destinations stay hidden, scammers will keep exploiting them. The good news: a small set of habits — previewing URLs, ignoring unsolicited codes, using passkeys, and choosing trustworthy link platforms — defeats the vast majority of attacks.

Treat every QR code the way you'd treat a stranger handing you a USB stick: useful sometimes, but always worth a second look.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles

QR Code Security for Irish Small Businesses: A 2026 Guide

QR codes have become a staple of Irish hospitality, retail, and professional services — but they are also one of the fastest-growing attack vectors in Europe. This guide explains how Irish small businesses can deploy QR codes securely, comply with GDPR, and protect their customers from quishing scams.

9 min

Dynamic vs Static QR Codes: Which Should You Use in 2026?

Dynamic and static QR codes look identical but behave very differently. This guide compares both types across editing, analytics, cost, and security to help you choose the right one for marketing, business, or personal use.

9 min

QR Codes in Restaurants: Are They Tracking You?

Restaurant QR code menus are convenient — but many quietly collect your location, device data, and dining habits, often sharing them with ad networks. Learn what these codes actually track, the real privacy risks, and the simple steps that keep your data safe.

9 min

QR Code Security Best Practices for Business: The 2026 Guide

QR codes are everywhere — on menus, posters, invoices, and packaging — but their convenience makes them a prime target for attackers. This guide explains the most important QR code security best practices every business should implement to protect customers, brand reputation, and data.

9 min