QR Code Phishing Scams: How to Stay Safe in 2026
QR codes have become a part of daily life. We scan them on restaurant menus, parking meters, event tickets, product packaging, and even TV ads. But that same convenience has created a fast-growing attack vector: QR code phishing scams, also known as quishing. In this guide, we'll explain exactly how QR code phishing works, show you real examples reported in 2024 and 2025, and walk you through the steps to stay safe — whether you're an everyday user or protecting an entire organization.
What Are QR Code Phishing Scams?
QR code phishing scams (quishing) are attacks where criminals use malicious QR codes to redirect victims to fake websites, trigger malware downloads, or trick them into entering sensitive information like passwords, credit card numbers, or banking credentials. Because the destination URL is hidden inside a square pattern of dots, victims can't easily tell whether a code is safe before scanning it.
Unlike traditional phishing emails, which security tools have become good at filtering, QR codes often slip past email gateways, antivirus software, and even corporate firewalls. They're treated as images, not links — and that's exactly what makes them dangerous.
Why Quishing Is Growing So Fast
Several factors have made QR code phishing one of the fastest-growing cyber threats:
- Mass adoption — Restaurants, banks, parking apps, and shipping companies all use QR codes legitimately, training users to scan without thinking.
- Mobile-first attacks — Scanning happens on phones, which typically have weaker security than corporate laptops.
- Bypass of email filters — A QR code embedded in a PDF or image isn't parsed as a URL by most spam filters.
- Trust in physical context — Seeing a QR code on a parking meter or restaurant table feels inherently trustworthy.
How QR Code Phishing Attacks Actually Work
Most quishing attacks follow a predictable five-step pattern:
- The attacker creates a malicious landing page that mimics a legitimate brand — a bank login, Microsoft 365 sign-in, parcel tracking site, or payment portal.
- They generate a QR code pointing to that page, often using a URL shortener to disguise the destination.
- They distribute the code — via email, printed stickers placed over legitimate QR codes, fake parking tickets, posters, or even sponsored social media posts.
- The victim scans the code with their phone camera, which automatically opens a browser.
- The victim enters credentials or payment info, which are sent straight to the attacker. In some cases, malware is silently installed instead.
Common Quishing Scenarios in 2025–2026
Here are the most reported QR phishing tactics security teams are tracking right now:
- Fake parking meter stickers — Criminals print QR codes that look like the city's parking app and place them over real signs. Victims "pay for parking" but actually hand over card details.
- Quishing emails — Emails claiming to be from HR, IT, or DocuSign include a QR code instead of a clickable link, telling recipients to "scan to review your document" or "verify your MFA."
- Fake delivery notices — A postcard or door tag from "DHL" or "USPS" asks the recipient to scan a code to reschedule delivery.
- Restaurant menu swaps — Stickers placed over real menu QR codes redirect diners to credit card harvesting pages.
- Crypto wallet drainers — QR codes promoted on social media promise airdrops but connect wallets to malicious smart contracts.
Real-World QR Phishing Incidents
QR code phishing isn't theoretical. Some notable incidents from the past two years include:
- U.S. parking meter scams (2023–2025) — Cities including Austin, San Francisco, Atlanta, and Houston reported organized campaigns where fake QR stickers led drivers to fraudulent payment sites. Some lost hundreds of dollars before fraud alerts triggered.
- Microsoft 365 quishing wave — Cybersecurity researchers documented a surge of corporate emails with QR codes claiming to require "MFA reset" or "password expiration verification," successfully harvesting credentials from finance and executive teams.
- UK "smishing-by-QR" — Royal Mail and HMRC impersonation campaigns shifted from SMS links to physical postcards with QR codes, partly because users had been trained to distrust text-message links.
The common thread: attackers exploit trust in a physical or familiar context, plus the inability of the human eye to verify a QR code's destination.
Warning Signs of a Malicious QR Code
You can't read a QR code with your eyes, but you can spot warning signs around it. Watch for these red flags before scanning:
| Red Flag | What to Look For | Risk Level |
|---|---|---|
| Sticker over original code | A QR code printed on a sticker that's been placed on top of an existing sign or menu | High |
| Unsolicited email or letter | QR code in a message you didn't expect, especially urging urgency | High |
| No brand context | Code in a public place with no clear company name, logo, or instructions | Medium |
| Shortened or unfamiliar domain | Preview shows a URL with random characters or an unrelated brand | High |
| Requests login or payment immediately | Landing page asks for credentials right after scanning | Very High |
| Misspelled URL or typosquatting | e.g., "micros0ft-login.com" or "paypa1-secure.net" | Very High |
How to Stay Safe From QR Code Phishing
Protecting yourself from quishing comes down to a handful of simple habits. Follow these steps every time you encounter a QR code:
1. Preview the URL Before Opening It
Modern iPhone and Android cameras display the destination URL when you point at a QR code. Don't tap immediately — read the link first. Look for the exact, correctly spelled domain you expect. If the URL is shortened, hidden, or unfamiliar, don't open it.
2. Never Scan QR Codes From Unsolicited Sources
If you didn't ask for it, treat it like spam. Emails, letters, posters, and stickers all need to pass the same trust test as a phone call from an unknown number. Banks, government agencies, and reputable companies rarely require you to scan a QR code to verify your identity.
3. Type URLs Manually for Sensitive Actions
If a QR code claims to take you to your bank, government tax portal, parking app, or work login, close it and type the address into your browser yourself. The two extra seconds are worth it.
4. Use a Trusted URL Shortener With Link Previews
Not all shortened links are bad — but the platform matters. Reputable services like Lunyb let creators generate clean, trackable short URLs while giving recipients confidence the link will resolve safely. If you manage QR campaigns for a business, using a known, transparent shortener also helps your customers trust your codes. For a deeper look, see our honest review of Lunyb and the 2026 buyer's guide to URL shorteners.
5. Check for Sticker Tampering in Public Places
Before scanning a QR code on a parking meter, menu, or poster, run a finger over it. A peeling edge, mismatched paper, or a code stuck over another sign is a major warning sign. Many cities now recommend paying parking fees directly through the official app instead of scanning posted codes.
6. Keep Your Phone Updated
Quishing attacks sometimes deliver malware through browser exploits. Running the latest version of iOS, Android, and your browser closes known vulnerabilities. Enable automatic updates if you haven't.
7. Enable Multi-Factor Authentication Everywhere
Even if attackers harvest your password through a quishing site, MFA — especially app-based or hardware-key MFA — stops them from logging in. Avoid SMS-only MFA where possible.
8. Report Suspicious Codes
If you spot a fake QR code in public, report it to the property owner (restaurant, city, parking authority) and your national cybercrime reporting body (e.g., the FTC in the U.S., Action Fraud in the UK, ACSC in Australia).
Protecting Your Business From QR Code Phishing
Organizations face a double-sided problem: employees can fall victim to quishing, and customers can be tricked by attackers impersonating the brand. Here's how to protect both sides:
For Employees
- Update security awareness training to include QR code attacks, not just email phishing.
- Deploy mobile threat defense (MTD) on company devices to detect malicious URLs after a scan.
- Use email security tools that can extract and analyze URLs inside QR code images attached to emails.
- Establish a clear policy: no internal process (MFA reset, HR document, IT verification) will ever require scanning a QR code from an email.
For Customer-Facing QR Codes
- Use your own branded domain for short URLs so customers can verify authenticity.
- Print QR codes directly on materials rather than on stickers that can be easily replaced.
- Add visible URL text below every QR code so users have a fallback.
- Monitor for impersonation by tracking domains and lookalike URLs.
Branded short links through services like Rebrandly or Lunyb make it easier for customers to recognize legitimate destinations. We compare options in our Rebrandly review.
What to Do If You've Already Scanned a Malicious QR Code
If you suspect you've been quished, act fast. Damage control in the first hour matters most.
- Don't enter anything else. Close the browser tab immediately.
- Disconnect from the internet if you suspect malware was downloaded — enable airplane mode.
- Change passwords for any account you may have entered credentials for, starting with your email and bank.
- Enable or strengthen MFA on all important accounts.
- Contact your bank if you entered card details. Freeze the card and request a new one.
- Run a mobile security scan using a reputable app from your device's official store.
- Report the incident to your national cybercrime authority and, for business accounts, to your IT or security team.
- Monitor your accounts closely for the next 30–60 days for unauthorized activity.
The Future of QR Code Security
QR phishing isn't going away. As long as the format remains useful, attackers will exploit it. But we're starting to see real defenses emerge:
- Smarter camera apps — Both Apple and Google are improving in-browser warnings for suspicious URLs revealed by QR scans.
- Signed QR codes — Some pilots are testing cryptographically signed QR codes that prove origin (similar to HTTPS certificates).
- Email security tools that decode QR images and scan the underlying URL before delivery.
- Public awareness — Cities are posting warnings on parking meters and ATMs.
Until these defenses are universal, your best protection remains skepticism and the simple habit of previewing every URL before tapping.
Frequently Asked Questions
Can scanning a QR code itself infect my phone?
Just scanning a QR code doesn't typically install malware on its own. The danger comes from what happens after — opening the URL, downloading a file, entering credentials, or granting permissions. Modern phones show a preview of the URL first, so always read it before tapping.
Are QR codes from restaurants safe to scan?
Most are, but check for tampering. Run your finger over the code. If it's a sticker placed over another code, or printed on cheap paper that doesn't match the menu, ask the staff for the official link instead. When in doubt, type the restaurant's name into your browser and find the menu manually.
How can I tell if a QR code goes to a phishing site?
Preview the URL before opening it. Watch for misspelled domains, random subdomains, IP addresses instead of names, or shortened links from unknown services. If the page after loading asks for login credentials, payment details, or app installation without clear context — close it immediately.
Are QR codes in emails always dangerous?
Not always, but they're high risk. Legitimate companies very rarely require you to scan a code from an email to log in, reset MFA, or verify your identity. Treat any QR code in an unsolicited email — especially urgent ones — as a likely phishing attempt and verify through official channels.
What's the safest way to use QR codes for my business?
Use a trusted URL shortener with branded domains so customers can recognize legitimate links. Print QR codes directly onto materials rather than using stickers, always display the underlying URL in readable text, and educate customers about your official channels. Platforms like Lunyb make it easy to manage and track branded short links securely.
Final Thoughts
QR code phishing scams have moved from niche curiosity to mainstream threat in just a few years. The good news: defending yourself doesn't require expensive tools or technical expertise. It requires a one-second pause to read the URL preview, a habit of skepticism toward unsolicited codes, and a willingness to type addresses manually for anything sensitive. Combine those habits with strong MFA and updated devices, and you'll dodge the vast majority of quishing attacks — at home, at work, and everywhere in between.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
QR Code Security for Irish Small Businesses: A 2026 SME Guide
Quishing attacks are on the rise across Ireland, putting SMEs and their customers at risk. This practical guide explains how Irish small businesses can use QR codes safely, stay GDPR-compliant, and respond if a code is compromised.
Dynamic vs Static QR Codes: Which Should You Use in 2026?
Choosing between dynamic and static QR codes can make or break your campaign. Learn the key differences, pros and cons, and use cases for each type, plus get a clear answer on which option fits your goals in 2026.
QR Codes in Restaurants: Are They Tracking You?
Restaurant QR code menus are convenient, but many of them quietly collect data about your device, location, and ordering habits. Here's what's really happening when you scan that little square — and how to protect your privacy.
QR Code Security Best Practices for Business: A Complete 2026 Guide
QR codes are powerful marketing and operational tools, but they've also become a favorite target for cybercriminals. This guide covers the essential QR code security best practices every business needs to protect customers, employees, and brand reputation.