QR Code Phishing Scams: How to Stay Safe in 2026
QR codes were once a novelty. Today they appear on restaurant tables, parking meters, product packaging, business cards, billboards, and even utility bills. That ubiquity is exactly why cybercriminals love them. QR code phishing scams—often called quishing—have become one of the fastest-growing attack vectors of the past two years, with reports tripling between 2023 and 2025 according to multiple threat-intelligence firms.
This guide explains exactly how QR code phishing scams work, the most common variations you'll encounter, and the practical, no-nonsense steps you can take to protect yourself, your family, and your organization.
What Are QR Code Phishing Scams?
QR code phishing scams are social engineering attacks in which a malicious QR code redirects victims to a fraudulent website, downloads malware, or triggers an action (like a payment or login attempt) designed to steal money, credentials, or personal data. The term "quishing" combines "QR" and "phishing."
Unlike a traditional phishing email, where a suspicious link is visible and can be inspected, a QR code hides the destination URL inside a visual pattern. Most people scan first and think later. That single behavioral gap is what makes quishing so effective.
Why Attackers Love QR Codes
- Hidden destinations: Users can't preview a URL just by looking at a QR code.
- Mobile-first targeting: Scans happen on phones, where security tools are weaker and screen sizes hide red flags.
- Trust by context: A code on a restaurant table or parking sign feels legitimate by default.
- Email filter evasion: Security gateways scan text and links, not images, so a QR code embedded in a PDF often slips through.
- Low cost, high scale: Printing a sticker or sending a bulk email costs almost nothing.
How a QR Code Phishing Attack Actually Works
Most quishing attacks follow a predictable five-step pattern. Understanding the sequence makes the warning signs much easier to spot.
- The lure: The attacker places a QR code somewhere a target will see it—an email pretending to be from HR, a sticker on a parking meter, a flyer on a coffee-shop bulletin board, or a fake invoice.
- The scan: The victim uses their phone camera to scan the code, trusting the surrounding context.
- The redirect: The code resolves to a malicious URL, often a near-perfect clone of a real login page (Microsoft 365, a bank, a parcel carrier, a parking app).
- The harvest: The victim enters credentials, payment information, or a multi-factor authentication code. Some attacks instead prompt a malicious app install.
- The exploit: Attackers immediately log into the real account, drain funds, sell credentials, or pivot to a corporate network.
The Most Common QR Code Phishing Scams in 2026
Quishing has evolved well beyond email. Here are the variants security teams are seeing most often this year.
1. Parking Meter and EV Charging Scams
Criminals print stickers with malicious QR codes and place them over the legitimate codes on parking meters or EV chargers. Victims scan, are sent to a fake payment page, and hand over card details. This scam has been reported in cities across the US, UK, Australia, and across Europe.
2. Corporate Email Quishing
The most common workplace attack. Employees receive an email—often disguised as a multi-factor authentication update, voicemail notification, or HR document—containing a QR code they're told to scan with their phone. Because the link is opened on a personal device, it bypasses corporate endpoint protection entirely.
3. Restaurant Menu Swaps
Fake menu codes redirect diners to phishing pages that collect "reservation deposits" or download malicious apps disguised as loyalty programs.
4. Package Delivery Scams
A QR code on a missed-delivery card or in a text message claims to help you reschedule a package. The destination is a credential-harvesting page that mimics FedEx, DHL, Royal Mail, USPS, or Australia Post.
5. Cryptocurrency Wallet Drainers
Particularly nasty. QR codes shared on social media or in fake giveaways trigger a wallet-connect prompt that, once approved, drains the entire wallet.
6. Charity and Disaster Relief Fraud
Following major news events, scammers post QR codes on social media and physical flyers asking for donations. The money goes directly to the attacker.
QR Code Phishing vs. Traditional Phishing: Key Differences
Both attacks aim to steal credentials or money, but the mechanics differ in ways that matter for defense.
| Factor | Traditional Phishing | QR Code Phishing (Quishing) |
|---|---|---|
| Delivery channel | Email, SMS, instant message | Physical stickers, printed materials, embedded images |
| URL visibility | Visible (can hover to preview) | Hidden inside the QR pattern |
| Device targeted | Computer or phone | Almost always a mobile phone |
| Corporate defenses | Email gateways, URL rewriting | Often bypassed entirely |
| User awareness | Generally high after years of training | Low—many users don't know quishing exists |
| Required effort | Bulk email send | Sticker placement or image embedding |
Warning Signs of a Malicious QR Code
Before you scan, take three seconds to check for these red flags. They apply to both physical codes and digital ones.
- A sticker over another code. If you can see edges or peel marks, walk away.
- Urgent or threatening language. "Scan immediately to avoid a fine" is classic social engineering.
- Unsolicited emails containing only an image. Especially if they ask you to authenticate using your phone.
- A code with no surrounding branding or with logos that look slightly off.
- Codes in unexpected places—a parking meter that didn't have one yesterday, a flyer taped to a lamppost, a code in a public restroom.
- Prompts for credentials immediately after scanning. Legitimate businesses rarely ask you to log in directly from a scanned code.
- Requests to install an app from outside the official store.
How to Stay Safe From QR Code Phishing Scams
The good news: defending yourself doesn't require expensive tools. It mostly requires habits.
1. Preview the URL Before You Open It
Modern iOS and Android camera apps display the destination URL as a preview banner before opening it. Read it. If the domain looks wrong, misspelled, or unfamiliar, cancel.
2. Use a QR Scanner With Built-In Safety Checks
Several reputable security apps scan the destination against known threat databases before loading the page. This is especially valuable for users who scan codes frequently.
3. Type the URL Manually When in Doubt
For anything involving payment, login, or personal data, skip the QR code and type the company's known URL directly into your browser. It takes ten extra seconds and eliminates the risk.
4. Use a Trusted Link Shortener for Your Own Codes
If you generate QR codes for your business, use a reputable shortener that lets you see analytics, edit destinations, and revoke malicious redirects. Services like Lunyb provide trackable short links and QR codes with destination control, so if a printed code is compromised you can repoint it instantly without reprinting. For a broader comparison of options, see our 2026 buyer's guide to URL shorteners.
5. Enable Multi-Factor Authentication Everywhere
Even if attackers steal a password through quishing, MFA can stop them. Prefer app-based or hardware key MFA over SMS, which can be intercepted.
6. Never Scan Codes From Unsolicited Emails
If your IT department or bank truly needs you to act, they will provide an alternate channel. Forward suspicious emails to your security team or report them as phishing.
7. Inspect Physical Codes for Tampering
In parking lots, on menus, and at point-of-sale terminals, look for stickers placed over other stickers, peeling edges, or codes that don't match the surrounding branding.
8. Keep Your Phone Operating System Updated
Many quishing payloads rely on browser or OS vulnerabilities. A current OS dramatically reduces the attack surface.
What to Do If You've Already Scanned a Malicious QR Code
Acting quickly limits the damage. Follow these steps in order:
- Don't enter any information. Close the browser tab immediately if you haven't already submitted anything.
- Disconnect from Wi-Fi and mobile data if you suspect an app or file was downloaded.
- Delete any downloaded files or apps through your phone's settings.
- Run a mobile security scan using a reputable tool.
- Change passwords for any account you may have entered credentials into—starting with email and banking.
- Enable or reset MFA on affected accounts.
- Notify your bank if payment information was entered, and ask them to flag the account.
- Report the incident to your national cybercrime authority (IC3 in the US, Action Fraud in the UK, Scamwatch in Australia, the Canadian Anti-Fraud Centre in Canada).
- Inform your employer's IT/security team if a work account was involved.
How Businesses Can Defend Against Quishing
Organizations face a unique challenge because quishing routes around traditional email security. A layered defense works best.
Train Employees Specifically on QR Code Threats
Generic phishing training is no longer enough. Include real quishing examples, run targeted simulations, and make sure remote and hybrid workers are included.
Deploy Email Security That Scans Embedded Images
Modern secure email gateways can decode QR codes inside attachments and inline images, evaluate the destination URL, and block known malicious links.
Use Mobile Device Management (MDM)
MDM lets you enforce OS updates, restrict sideloaded apps, and apply web filtering on company-owned and BYOD devices.
Control Your Own QR Codes
If your business uses QR codes for marketing, payments, or wayfinding, manage them through a single platform with auditing and the ability to update destinations. Avoid free, anonymous generators—if the destination is hardcoded into a printed code and the underlying service disappears, you've lost control. For a balanced look at managed link platforms, our Rebrandly review for 2026 and our honest review of Lunyb are good starting points.
Adopt Phishing-Resistant MFA
FIDO2 security keys and passkeys defeat most credential-stealing phishing flows, including quishing, because the authentication is bound to the legitimate domain.
The Future of QR Code Phishing
Attackers are already experimenting with AI-generated phishing pages that look indistinguishable from the real thing, dynamic QR codes that change destinations based on the scanner's location, and deepfake voice prompts that follow up after a scan to extract MFA codes. Expect quishing to keep evolving as long as QR codes remain a frictionless way to bridge physical and digital experiences.
The countermeasure is not to abandon QR codes—they're genuinely useful—but to treat every scan with the same healthy skepticism you'd apply to an unexpected email link. A two-second pause to preview the URL is the single most effective habit you can build.
Frequently Asked Questions
Can simply scanning a QR code infect my phone?
Scanning alone almost never infects a phone. Risk arises from what happens next—visiting a malicious website, entering credentials, or installing an app. That said, in rare cases a malicious page can exploit an unpatched browser vulnerability, which is why keeping your OS updated matters.
Are iPhones safer than Android phones against quishing?
Both platforms display URL previews before opening links, and both are vulnerable to credential phishing, which is the most common quishing payload. iPhones make sideloading apps harder, which reduces some malware risk, but neither platform protects you from typing your password into a fake site.
How can I tell if a QR code on a parking meter is real?
Look for stickers placed over other stickers, peeling edges, or codes that look freshly added. Compare with neighboring meters. When possible, use the official parking app you downloaded from the app store rather than scanning a code on the meter itself.
Are QR codes in emails always dangerous?
Not always, but they should raise your suspicion immediately. Legitimate organizations rarely require you to scan a code from an email when they could simply provide a clickable link. If you receive one, verify with the sender through a separate channel before scanning.
What's the safest way for my business to generate QR codes?
Use a managed link platform that gives you control over the destination, lets you update it after printing, provides analytics, and includes security monitoring. Avoid one-off free generators where the destination is permanent and untrackable. Compare options in our 2026 URL shortener buyer's guide.
Final Thoughts
QR code phishing scams thrive on a single human reflex: scan first, think later. By slowing that reflex down—previewing the URL, questioning the context, and using trusted tools—you remove almost all of the attacker's advantage. Share this guide with anyone who relies on QR codes for work, payments, or daily convenience. The more people who pause before they scan, the less profitable quishing becomes for the criminals running it.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
QR Code Security for Irish Small Businesses: A 2026 Guide
QR codes are everywhere in Irish business — but so are quishing attacks and sticker overlays. This 2026 guide explains the real QR security risks facing Irish SMEs, how to comply with GDPR, and how to choose a trustworthy QR provider.
Dynamic vs Static QR Codes: Which One Should You Use in 2026?
Static QR codes are free and permanent, while dynamic QR codes are editable, trackable, and ideal for marketing. This guide compares both types in detail and helps you choose the right one for your use case.
QR Code Security Best Practices for Business in 2026
QR-based phishing attacks have surged over 400% in recent years, putting businesses and customers at risk. This guide covers the essential QR code security best practices for 2026, from dynamic codes and branded domains to tamper-evident printing and incident response.
QR Codes in Restaurants: Are They Tracking You?
Restaurant QR code menus often track far more than diners realize — from IP addresses and device fingerprints to email signups sold to data brokers. This guide explains exactly what's collected, who sees it, and the simple steps you can take to protect your privacy without giving up the convenience.