facebook-pixel
L
Lunyb

QR Code Phishing Scams: How to Stay Safe in 2026

L
Lunyb Security Team
··10 min read

QR codes are everywhere — on restaurant tables, parking meters, product packaging, business cards, and even billboards. They're fast, convenient, and almost universally trusted. Unfortunately, that trust is exactly what scammers are now exploiting. QR code phishing scams, often called quishing, have surged in recent years, with the FBI, FTC, and cybersecurity agencies worldwide issuing repeated warnings.

This guide breaks down how QR code phishing works, the most common attack patterns, real-world examples, and a clear set of practical steps you can take to protect yourself, your family, and your organization.

What Are QR Code Phishing Scams?

QR code phishing scams are attacks in which criminals use malicious QR codes to direct victims to fraudulent websites, trigger malware downloads, or trick them into handing over sensitive information like passwords, banking details, or one-time codes. Because the destination of a QR code isn't visible until after scanning, victims often can't tell a legitimate code from a malicious one.

The term "quishing" is a blend of "QR" and "phishing." Unlike traditional email phishing, quishing weaponizes a physical or visual element — a printed sticker, a poster, an email attachment, or even an image embedded in a PDF — making the attack harder for spam filters and untrained users to detect.

Why QR Code Phishing Is Growing Fast

  • Mass adoption: Since 2020, QR codes have become a default interaction in restaurants, retail, healthcare, and transit.
  • Trust by default: Most users scan without questioning the source.
  • Filter evasion: QR codes inside images bypass many email security tools that scan for malicious links.
  • Mobile targeting: Phones often have weaker security than desktops and smaller screens that hide red flags in URLs.

How QR Code Phishing Attacks Work

Most quishing attacks follow a predictable lifecycle. Understanding the stages helps you spot warning signs before damage is done.

  1. Bait creation: The attacker generates a QR code linking to a phishing page, malware download, or credential-harvesting form.
  2. Distribution: The code is placed where targets will see it — a fake parking sign, a stickered-over menu, a phishing email pretending to be from HR or IT.
  3. Scan and redirect: The victim scans with their phone and is taken to a website that mimics a trusted brand (Microsoft 365, a bank, a delivery service).
  4. Data capture or payload delivery: The site requests login credentials, payment information, or prompts an app install.
  5. Exploitation: Stolen credentials are used immediately for account takeover, fraud, or to pivot deeper into a company's network.

Common Types of QR Code Phishing Scams

  • Parking meter scams: Fake QR stickers placed on city parking meters direct drivers to fraudulent payment portals.
  • Restaurant menu tampering: Scammers slap a malicious sticker over a legitimate menu QR code.
  • Corporate "MFA reset" emails: Employees receive a message asking them to scan a QR code to re-verify their Microsoft or Google account.
  • Package delivery scams: Texts or fake delivery slips include a QR code to "reschedule delivery" or pay a small customs fee.
  • Crypto wallet drains: A QR code claims to provide an airdrop or wallet connection but triggers a malicious transaction.
  • Charity and donation fraud: Fake posters in public places use QR codes to siphon donations to scammer-controlled accounts.

Real-World Examples of QR Code Phishing

These aren't hypothetical threats. Authorities and security researchers have documented thousands of cases worldwide.

  • In 2022, the city of Austin, Texas reported fraudulent QR code stickers on public parking meters that redirected drivers to fake payment sites.
  • Multiple European cities have warned of similar parking scams, with losses reported across Belgium, the Netherlands, and the UK.
  • A 2023 Microsoft Threat Intelligence report documented a major quishing campaign targeting corporate Microsoft 365 credentials, often delivered as PNG or PDF email attachments that bypassed link-scanning filters.
  • The FBI's Internet Crime Complaint Center (IC3) has issued multiple public alerts about QR codes being used to steal financial credentials.

Why QR Codes Are So Effective for Attackers

QR codes give attackers several advantages that older phishing techniques don't.

Attacker Advantage Why It Works
Hidden destination Users can't read a QR code visually — the URL is only revealed after scanning.
Bypasses email filters QR codes in images aren't scanned the way text links are.
Mobile-first attacks Phones often hide full URLs and lack enterprise security tools.
Physical placement Stickers can be added to legitimate signage with minimal effort.
Trust assumption Most users associate QR codes with reputable brands and businesses.

How to Spot a Malicious QR Code

While you can't read a QR code with your eyes, you can spot many red flags before and after scanning.

Before Scanning

  • Look for stickers placed over an existing code — a clear sign of tampering.
  • Be suspicious of QR codes in unsolicited emails, especially those claiming urgency ("verify in 24 hours").
  • Avoid scanning codes on flyers, posters, or signage in public places unless the source is verifiable.
  • Check whether the code is printed directly on official material or appears to be added later.

After Scanning (Before Tapping)

Most modern phones show a preview of the URL before opening it. Always read it carefully.

  • Does the domain match the brand you expect? microsoft-login-verify.com is not Microsoft.
  • Are there random characters, hyphens, or misspellings?
  • Is the connection HTTPS? (Note: HTTPS alone doesn't mean safe.)
  • Does the page immediately ask for credentials or payment? That's a major red flag.

How to Protect Yourself From QR Code Phishing Scams

Defense against quishing combines smart habits, the right tools, and good account hygiene.

1. Always Preview the URL

Use your phone's built-in camera, which previews the link before opening it. Never tap automatically.

2. Use a Trusted URL Inspection Tool

If a link looks even slightly suspicious, paste it into a URL safety checker before visiting. Reputable link platforms — like Lunyb — also let you create and share shortened links with built-in click analytics and safer redirect handling, which can help businesses replace risky raw QR destinations with monitored ones. For deeper background on Lunyb's safety and trust signals, see our honest Lunyb review.

3. Never Enter Credentials After Scanning a QR Code

This is the single most important rule. If a QR code leads to a login page, close it and navigate to the service directly through your browser or its official app.

4. Enable Multi-Factor Authentication (MFA)

Even if a phishing site steals your password, hardware keys, authenticator apps, or passkeys can stop account takeover. Avoid SMS-based MFA where possible.

5. Keep Your Phone and Apps Updated

Many quishing attacks rely on outdated browsers and OS-level vulnerabilities. Automatic updates close those doors.

6. Use Mobile Security Tools

Modern mobile security apps and built-in browser protections (Safe Browsing in Chrome, Smart Screen in Edge) can warn you before loading a known phishing site.

7. Don't Scan Codes in Unsolicited Messages

If you didn't ask for the email or text, treat any QR code inside it as hostile until proven otherwise.

8. Verify Physical Codes With the Business

If you're at a restaurant or parking meter, ask staff or check whether the code is printed directly on the surface rather than stuck on as a sticker.

How Businesses Can Defend Against Quishing

Quishing isn't just a personal threat — it's one of the top vectors for corporate credential theft today.

Security Awareness Training

Employees need to know that QR codes in emails are a phishing red flag, especially when paired with HR, IT, or finance themes ("reset your MFA," "review your payroll," "approve this invoice").

Email Security Upgrades

Choose an email security provider that performs OCR on image attachments and analyzes embedded QR codes for malicious destinations. Many legacy filters still miss these.

Use Branded, Monitored Short Links

When your business publishes QR codes, route them through monitored branded short links rather than raw destination URLs. Branded link platforms — covered in our 2026 buyer's guide to URL shorteners and Rebrandly review — let you change destinations if a campaign is compromised, audit click activity, and detect anomalies fast.

Enforce Phishing-Resistant Authentication

Move from passwords and SMS MFA to passkeys and FIDO2 hardware keys. These cannot be phished, even if a user submits credentials on a fake site.

Monitor Brand Abuse

Set up alerts for lookalike domains and impersonating QR campaigns. The faster you detect them, the less damage they cause.

What to Do If You've Already Scanned a Malicious QR Code

Don't panic — but act quickly. The longer you wait, the more damage attackers can do.

  1. Close the page immediately and don't enter anything.
  2. If you entered a password, change it on the legitimate site right away and on any other account where you reused it.
  3. Enable or re-check MFA on the affected account.
  4. Contact your bank if you entered payment details, and request card replacement.
  5. Run a mobile security scan to check for any installed malware or configuration profiles.
  6. Report the scam to local authorities (FTC in the US, Action Fraud in the UK, Scamwatch in Australia) and to the impersonated brand.
  7. For business accounts, alert IT immediately so they can revoke sessions and investigate.

The Future of QR Code Phishing

As QR codes continue to embed themselves in payments, logistics, and identity verification, attackers will only get more creative. Expect to see:

  • AI-generated phishing pages that perfectly mimic the brand behind any scanned code.
  • Dynamic QR codes that change destinations based on geography or device to evade detection.
  • Quishing attacks delivered through deepfake voicemails and text messages urging victims to scan.
  • Increased targeting of crypto wallets, where a single scan can drain funds in seconds.

The best long-term defense is a healthy default of skepticism: treat every QR code as untrusted until you can verify both the source and the destination.

Frequently Asked Questions

Can a QR code install malware on my phone just by scanning it?

In most cases, simply scanning a QR code does not install malware. The risk comes from what you do after — visiting a malicious site, downloading a fake app, or entering credentials. However, some attacks chain QR scans with browser vulnerabilities, which is why keeping your phone updated is critical.

How can I tell if a QR code on a parking meter or menu is fake?

Look closely at the surface. Stickers placed over the original signage, bubbled edges, mismatched colors, or codes that look freshly applied are red flags. When possible, pay through the official app of the parking provider or restaurant rather than scanning an unverified code.

Are QR codes in emails always dangerous?

Not always, but they should be treated with high suspicion. Legitimate companies rarely require you to scan a QR code from your inbox to log in or verify an account. If you receive one, go directly to the official site or app instead of scanning.

Does using a QR code scanner app make me safer?

Some third-party scanner apps preview URLs and check them against threat databases, which adds a layer of protection. However, modern iPhone and Android cameras already preview URLs natively, and many third-party scanners come bundled with adware. Stick to your built-in camera and a reputable security app.

What's the safest way for my business to publish QR codes?

Use branded, monitored short links so you can update destinations, track clicks, and detect abuse. Print codes directly on durable surfaces rather than removable stickers, and educate customers about how your official codes will look. Platforms like Lunyb make it easy to manage and audit the URLs behind your QR campaigns.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles

Dynamic vs Static QR Codes: Which to Use in 2026

Static QR codes are free and permanent; dynamic codes are editable and trackable. This guide breaks down the differences, pros and cons, and exact use cases so you can pick the right type for any campaign in 2026.

9 min

QR Codes in Restaurants: Are They Tracking You?

Restaurant QR code menus look harmless, but many of them quietly collect your location, device fingerprint, and ordering habits — and share that data with ad networks. Here's exactly what gets tracked when you scan, and the simple steps that protect your privacy without ruining dinner.

10 min

QR Code Security Best Practices for Business in 2026

QR codes are everywhere — and so are the attackers exploiting them. This guide covers the QR code security best practices businesses need in 2026, from dynamic codes and branded domains to incident response and customer education.

10 min

How to Create Secure QR Codes with Lunyb: A Complete 2026 Guide

QR code phishing attacks are surging in 2026. Learn how to create secure, dynamic QR codes with Lunyb using password protection, expiration dates, malware scanning, and analytics. A complete step-by-step guide with best practices and real-world use cases.

10 min